Ensure encryption is enabled for Google Cloud Storage Buckets

MEDIUM

Description

Google Cloud Storage should be encrypted to protect sensitive information. It is considered best practice to encrypt data at-rest in any environment that supports it, especially as it is often required for certain compliance frameworks or industry regulations.

Remediation

Encryption of Cloud Storage data at-rest is configured by default. To use a customer-managed key, follow the instructions below.

In GCP Console -

Log into the GCP Console and go to Cloud Storage.
Under Buckets, choose the bucket you wish to edit.
Select the Configuration tab.
Under Protection, select the pencil next to the Encryption type listed.
Choose Customer-managed encryption key and select a key from the drop down.
Select Save.

In Terraform -

In the google_storage_bucket resource, set the encryption.default_kms_key_name field to a valid KMS key name.

References:
https://cloud.google.com/storage/docs/encryption
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#nested_encryption

Policy Details

Rule Reference ID: AC_GCP_0235

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_storage_bucket

Resource Category: Storage

Resource Type: Bucket

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
ISO-27001
SOC2

Detections

Analytics