Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Vertex AI Metadata Store resource is not configured to use a customer-managed encryption key (CMK) for its data. This means sensitive metadata may be encrypted only with default Google-managed keys, reducing control over data security.

Impact

Without a CMK, your organization cannot control or revoke encryption keys, making it harder to manage access to sensitive information. If Google’s default keys are compromised or subpoenaed, attackers or unauthorized parties could potentially access confidential metadata stored in Vertex AI.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

This code creates a Google Pub/Sub topic in Terraform without specifying a customer-managed encryption key (CMEK). As a result, the topic will use default Google-managed encryption instead of your own keys, reducing control over data protection.

Impact

If not properly encrypted with a customer-managed key, sensitive messages published to this topic could be less secure, increasing the risk of unauthorized access or exposure. This limits your ability to manage key rotation, revoke access, or comply with strict security and regulatory requirements.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Dataflow job resource is not configured to use a customer-managed encryption key (CMEK), which means data processed by the job relies on default Google-managed encryption. This reduces control over how sensitive data is protected.

Impact

Without a customer-managed key, you cannot control key rotation or revoke access if a compromise occurs. This increases the risk that sensitive data could be exposed or accessed without proper authorization, potentially violating compliance requirements.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The BigQuery dataset resource is missing a customer-managed encryption key (CMK) configuration, meaning data is not encrypted with your own keys. This relies solely on default Google-managed encryption, reducing control over data security.

Impact

Without a customer-managed key, you lose granular control over data access and key rotation. If Google’s default keys are compromised or subpoenaed, sensitive data could be exposed without your ability to revoke access or audit key usage.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Artifact Registry repository is not configured to use a customer-managed encryption key (CMEK) for data encryption. This means sensitive data stored in the repository relies solely on default Google-managed keys, limiting your control over key management and rotation.

Impact

Without customer-managed encryption keys, you cannot enforce your own security policies for key access, rotation, or revocation. If Google’s default keys are compromised or misused, attackers could potentially access or decrypt sensitive artifacts stored in the repository, increasing the risk of data exposure or regulatory non-compliance.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Bigtable instance is not configured to use a customer-managed encryption key (CMEK) for data encryption. This means your data relies solely on Google-managed keys, reducing your control over encryption and key management.

Impact

If not encrypted with a customer-managed key, sensitive data stored in Bigtable could be less protected against unauthorized access or regulatory non-compliance. An attacker or unauthorized third party with sufficient access could potentially obtain unencrypted data, and you lose the ability to rotate or revoke encryption keys if needed.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Dataproc cluster is not configured to use a customer-managed encryption key (CMEK) for encrypting data at rest. This means Google Cloud’s default keys are used instead of your own keys, reducing your control over data protection.

Impact

Without customer-managed encryption keys, sensitive data stored in the cluster could be accessed if Google’s default keys are compromised or subpoenaed. This may lead to unauthorized data exposure and non-compliance with organizational or regulatory requirements.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Kubernetes Engine cluster is configured with logging disabled by setting ’logging_service = “none”’. This prevents collection of cluster activity logs that are important for monitoring and troubleshooting.

Impact

Without logging enabled, security incidents, misconfigurations, or unauthorized actions may go undetected. This lack of visibility can hinder incident response, make audits difficult, and increase the risk of undetected breaches or data loss.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Spanner database is not configured to use a customer-managed encryption key (CMEK) for data encryption. This means Google Cloud manages the encryption keys instead of your organization, reducing control over data security.

Impact

Without customer-managed keys, your organization has less control over who can access encrypted data. If Google’s keys are compromised or misused, sensitive data in the Spanner database could be exposed, increasing the risk of unauthorized access or regulatory non-compliance.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS CodeBuild project is configured to store build artifacts without encryption. This means that the output files generated by your builds are not protected by AWS KMS or any other encryption method.

Impact

Unencrypted build artifacts can be accessed or tampered with if someone gains access to the storage location, exposing sensitive code, credentials, or configuration data. This increases the risk of data breaches and unauthorized modifications that could compromise your application’s security.