A GCP persistent disk is encrypted with a key specified in plain text
Severity | Exploitability | Providers | Categories |
---|---|---|---|
CRITICAL | HIGH | Google Cloud Provider | DATA, SECRET |
Description
The value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | True |
The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.
Remediation guidelines
The encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.