Key Management Errors
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Artifact Registry repository is not configured to use a customer-managed encryption key (CMEK) for data encryption. This means sensitive data stored in the repository relies solely on default Google-managed keys, limiting your control over key management and rotation.
Impact#
Without customer-managed encryption keys, you cannot enforce your own security policies for key access, rotation, or revocation. If Google’s default keys are compromised or misused, attackers could potentially access or decrypt sensitive artifacts stored in the repository, increasing the risk of data exposure or regulatory non-compliance.