Skip to content
Nuclei Templates

Logs Router Encryption with Customer-Managed Keys Not Enabled

ID: gcloud-logs-router-cmek-not-enabled

Severity: high

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,google-cloud-logging,gcp-cloud-config

Description

Section titled “Description”

Ensure that Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs) to provide full control over your data encryption and decryption process and to help meet compliance requirements. Using Cloud Key Management Service (Cloud KMS), you can create and manage your CMKs, ensuring secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.

YAML Source

Section titled “YAML Source”
id: gcloud-logs-router-cmek-not-enabled


info:
  name: Logs Router Encryption with Customer-Managed Keys Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs) to provide full control over your data encryption and decryption process and to help meet compliance requirements. Using Cloud Key Management Service (Cloud KMS), you can create and manage your CMKs, ensuring secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
  impact: |
    Without Customer-Managed Keys (CMKs) encryption, your Logs Router data may not meet organizational compliance requirements and is not protected by keys you control, potentially exposing sensitive information to unauthorized access.
  remediation: |
    Enable Customer-Managed Keys (CMKs) for Logs Router encryption within your GCP organization by configuring Cloud KMS keys and associating them with the Logs Router service. Ensure the CMKs are properly managed and rotated per compliance requirements.
  reference:
    - https://cloud.google.com/logging/docs/routing/managed-encryption
  tags: cloud,devops,gcp,gcloud,google-cloud-logging,gcp-cloud-config


self-contained: true


code:
  - engine:
      - sh
      - bash
    source: |
      gcloud alpha logging cmek-settings describe --organization=$organization --format="json(kmsKeyName)"


    matchers:
      - type: word
        words:
          - 'null'


    extractors:
      - type: dsl
        dsl:
          - '"Logs Router Encryption with CMK not enabled for your organization"'
# digest: 4b0a00483046022100a94c7e2231181d06405b8fb53b9603a32c3d7db83381ad64935458a6c6e6d92a022100f787d993f5a41dc335e362a5b2b88fec08577e5bb41b6b83b64e5c91ba323972:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/gcp/logging/gcloud-logs-router-cmek-not-enabled.yaml"

View on Github