GCP Vertex AI datasets do not use a Customer Manager Key (CMK)
Description
This policy identifies Vertex AI datasets which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your Vertex AI datasets data. It gives you full control over the encrypted data.
Code Example
go
resource "google_vertex_ai_dataset" "pass" {
display_name = "terraform"
metadata_schema_uri = "gs://google-cloud-aiplatform/schema/dataset/metadata/image_1.0.0.yaml"
region = "us-central1"
encryption_spec {
kms_key_name=google_kms_crypto_key.example.name
}
}Remediation
Terraform
- Resource: google_vertex_ai_dataset
- Arguments: region.encryption_spec.kms_key_name
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0950 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_92 |