VM disks should be encrypted with Customer Supplied Encryption Keys
Using unmanaged keys makes rotation and general management difficult.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Use managed keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
resource "google_service_account" "default" {
account_id = "service_account_id"
display_name = "Service Account"
}
resource "google_compute_instance" "good_example" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
kms_key_self_link = "something"
}
// Local SSD disk
scratch_disk {
interface = "SCSI"
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
metadata = {
foo = "bar"
}
metadata_startup_script = "echo hi > /test.txt"
service_account {
# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
email = google_service_account.default.email
scopes = ["cloud-platform"]
}
}
|