Missing Encryption of Sensitive Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-311: Missing Encryption of Sensitive Data |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Google Compute Engine disks are being created without specifying a customer-supplied encryption key (CSEK), meaning data is only protected by default Google-managed keys. This may not provide sufficient control over disk encryption for sensitive workloads.
Impact#
Without customer-managed encryption, sensitive data on VM disks could be more easily accessed if Google’s default encryption keys are compromised or mismanaged. Attackers or unauthorized insiders could potentially access unencrypted data, putting confidential information at risk and potentially violating compliance requirements.