Vertex AI instance disks not encrypted with a Customer Managed Key (CMK)
Description
This policy is assessing whether instance disks in Vertex AI are encrypted using a Customer Managed Key (CMK). This is critical in providing a higher level of security for your data at rest. By using CMK, you have more control over your cryptographic key, increasing data protection. Forgoing use of a CMK could potentially lead to sensitive data being exposed or compromised. The encryption you employ should be as strong as possible to ensure maximum data security.
Code Example
go
resource "google_notebooks_instance" "instance_good_vm" {
...
disk_encryption = "CMEK"
kms_key = var.kms_key
...
}Remediation
Terraform
- Resource: google_notebooks_instance
- Arguments: kms_key, disk_encryption
To fix this issue, you need to specify a Customer Managed Key (CMK) for encrypting the Vertex AI instance disks. You can do this by setting the `kms_key` field and the `disk_encryption` to `CMEK`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1006 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_21 |