Document AI Processors not encrypted with a Customer Managed Key (CMK)
Description
This policy is checking to ensure that Document AI Processors are encrypted with a Customer Managed Key (CMK). The purpose of this is to protect sensitive information that may be contained in the documents being processed. If Document AI Processors are not properly encrypted, an unauthorized individual could potentially gain access to this data. This could lead to a serious confidentiality breach. Therefore, encryption using a Customer Managed Key (CMK) is recommended as it offers more control and security, reducing the risk of data exposure.
Code Example
resource "google_document_ai_processor" "example" {
...
kms_key_name = "key_name"
...
}Remediation
Terraform
- Resource: google_document_ai_processor
- Arguments: kms_key_name
To fix this issue, you should modify the Document AI Processors in your Terraform code to specify a "kms_key_name" attribute. This attribute represents the Cloud KMS key used for encryption/decryption. This will ensure encryption with a Customer Managed Key (CMK).
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1007 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_22 |