Vertex AI endpoint is not using a Customer Managed Key (CMK)
Description
This policy is checking to ensure that a Vertex AI endpoint uses a Customer Managed Key (CMK). This is significant because the use of a CMK allows organizations to maintain control over their encryption keys. This can help improve the security of data by adding an additional layer of protection - any data encrypted with a CMK can only be accessed with the appropriate decryption key. Without using a CMK, organizations would be relying solely on provider managed keys, which could potentially leave them more exposed to data breaches.
Code Example
resource "google_vertex_ai_endpoint" "endpoint" {
...
encryption_spec {
kms_key_name = "some_name"
...
}
...
}Remediation
Terraform
- Resource: google_vertex_ai_endpoint
- Arguments: encryption_spec
To fix the issue you need to modify the terraform code for the Vertex AI endpoint to use a customer managed key (CMK) instead of the default Google-managed key. Set the "encryption_spec" field in the Vertex AI endpoint block to use a customer managed key.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1009 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_24 |