disk-encryption-customer-keys
Explanation
By default, Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
If the disk_encryption_key
block is included in the resource declaration then it must include a raw_key
or kms_key_self_link
.
Possible Impact
Encryption of disk using unmanaged keys.
Suggested Resolution
Enable encryption using a customer-managed key.
Insecure Example
The following example will fail the google-compute-disk-encryption-customer-keys check.
resource "google_compute_disk" "bad_example" {
# ...
}
Secure Example
The following example will pass the google-compute-disk-encryption-customer-keys check.
resource "google_compute_disk" "good_example" {
disk_encryption_key {
kms_key_self_link = "something"
}
}