Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)

By default, GCP encrypts all data with GCP owned keys. It is recommended to manage the encryption keys of VM disks in order to have more control and better monitoring of your environment.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should have disks contain-all [ diskEncryptionType like 'CustomerSuppliedKey']

REMEDIATION

From Portal

  1. Go to Disks page under Compute Engine: https://console.cloud.google.com/compute/disks
  2. Click CREATE DISK.
  3. Under Encryption, choose Customer-supplied encryption keys.
  4. Provide key.
  5. Click Create.

From TF
Set the filed 'disk_encryption_key_raw' with the ENCRYPTION_KEY:

resource 'google_compute_instance' 'default' {
	...
	boot_disk {
		disk_encryption_key_raw = ENCRYPTION_KEY
	}
}

From Command Line
Run

gcloud compute disks create DISK_NAME --csek-key-file FILE_NAME.json

References

  1. https://cloud.google.com/sdk/gcloud/reference/compute/disks/create
  2. https://cloud.google.com/compute/docs/disks/customer-supplied-encryption

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP Dashboard System Ruleset
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management