Ensure encryption with Customer Supplied Encryption Keys (CSEK) is enabled for Google Compute Instance

MEDIUM

Description

Google Compute instance VMs have disk encryption enabled by default to help protect data at-rest. It is recommended to use customer supplied keys which can be managed in the Cloud KMS environment. For more on encryption of Compute Engine disks, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/disks/customer-supplied-encryption

Remediation

In GCP Console -

  1. Open the Compute Engine page.
  2. Click on the VM instance tab.
  3. Click on Create Instance and configure the instance.
  4. In the Boot Disk section, Click CHANGE.
    5.Click on Show Advanced Configuration and Select Customer-supplied encryption key (CSEK).
  5. Click Select.
  6. Click Create

In Terraform -

  1. In the resource google_compute_instance ensure that disk_encryption_key_raw attribute is set to a valid Customer Supplied Encryption Key.

References:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#disk_encryption_key_raw

Policy Details

Rule Reference ID: AC_GCP_0036
CSP: GCP
Remediation Available: Yes
Resource Category: Compute
Resource Type: Virtual Machine

Frameworks