Detections
Analytics

Ensure cloud instance snapshots are encrypted through Google Compute Snapshot

MEDIUM

Description

Google Compute instance VMs that have disk encryption enabled with customer supplied keys must also have the snapshots encrypted with a customer supplied key. For more on encryption of Compute Engine disks and snapshots, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#create_snapshot

Remediation

The encryption configuration can only be configured during the process of provisioning the snapshot.

In GCP Console -

  1. Open the Snapshot page.
  2. Select create snapshot, Configure Encryption type to Required type.
  3. Click Create.

In Terraform -

  1. In the google_compute_snapshot resource, ensure that snapshot_encryption_key block attribute is added with valid KMS Key details like kms_key_self_link, kms_key_service_account and raw_key.

References:
https://registry.terraform.io/providers/hashicorp/google/4.50.0/docs/resources/compute_snapshot#nested_snapshot_encryption_key
https://cloud.google.com/compute/docs/disks/customer-supplied-encryption

Policy Details

Rule Reference ID: AC_GCP_0289
CSP: GCP
Remediation Available: Yes
Domain: Data Protection
Resource: google_compute_snapshot
Resource Category: Compute
Resource Type: Virtual Machine

Frameworks