Vertex AI workbench instance disks not encrypted with a Customer Managed Key (CMK)
Description
This policy is evaluating whether Vertex AI workbench instance disks in Google Cloud Platform (GCP) are encrypted with a Customer Managed Key (CMK). The use of a CMK provides an additional level of control over cryptographic keys to maintain high security. If this policy is not followed, the default Google-managed option would be used, meaning Google would control the keys. In cases where strict compliance and data ownership is required, allowing Google to manage the encryption key may not be preferential. Hence, not employing a CMK can potentially lessen control over data security and may lead to data being less secure.
Code Example
resource "google_workbench_instance" "example" {
...
gce_setup {
...
boot_disk {
...
kms_key = google_kms_crypto_key.example.id
}
}
...
}Remediation
Terraform
- Resource: google_workbench_instance
- Arguments: gce_setup.boot_disk.kms_key, gce_setup.data_disks.kms_key
To fix the issue, you need to use a Customer Managed Key (CMK) for disk encryption in the Vertex AI workbench instance.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1012 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_27 |