Enable Object Encryption with Customer-Managed Keys for Cloud Storage Buckets
ID: gcloud-object-encryption-cmk-not-enabled
Severity: high
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,google-cloud-storage,encryption,cmk,security,gcp-cloud-config
Description
Section titled “Description”Ensure that your Google Cloud Storage data is encrypted at rest using Customer-Managed Keys (CMKs) to maintain full control over your data encryption and decryption processes. CMKs can be managed with the Cloud Key Management Service (Cloud KMS).
YAML Source
Section titled “YAML Source”id: gcloud-object-encryption-cmk-not-enabled
info: name: Enable Object Encryption with Customer-Managed Keys for Cloud Storage Buckets author: princechaddha severity: high description: | Ensure that your Google Cloud Storage data is encrypted at rest using Customer-Managed Keys (CMKs) to maintain full control over your data encryption and decryption processes. CMKs can be managed with the Cloud Key Management Service (Cloud KMS). impact: | Without CMK encryption, you lose the ability to manage key rotation, encryption policies, and data access, potentially exposing sensitive data to unauthorized access. remediation: | Configure your Cloud Storage buckets to use Customer-Managed Keys (CMKs) for encryption to enhance data security and comply with organizational policies. reference: - https://cloud.google.com/storage/docs/encryption/customer-managed-keys tags: cloud,devops,gcp,gcloud,google-cloud-storage,encryption,cmk,security,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let bucketName of iterate(template.buckets)){ set("bucketName", bucketName) code(3) } }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gsutil ls -p $projectId | jq -R . | jq -s .
extractors: - type: json name: buckets internal: true json: - '.[]'
- engine: - sh - bash source: | gsutil kms encryption $bucketName
matchers: - type: word part: body words: - "no default encryption key"
extractors: - type: dsl dsl: - '"The bucket " + bucketName + " in project " + projectId + " is not encrypted using a Customer-Managed Key (CMK)."'# digest: 4b0a00483046022100f2b251272464706d2ebe21caf15af113e930e0aeb02848e4f5d025750611883a022100d083dc3e0b9fb9b18964130a1468af82e0d35a8bc873e7ee13fa3dc8f5025569:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/storage/gcloud-object-encryption-cmk-not-enabled.yaml"