Link Search Menu Expand Document

Unencrypted storage bucket.

Explanation

Google storage buckets should have an encryption block to ensure that the data is encrypted at rest.

When specifying an encryption block, by not including the optional default_kms_key_name you are deferring to Google Provided Encryption.

Insecure Example

The following example will fail the GCP002 check.

resource "google_storage_bucket" "my-bucket" {
	# ...
	# no encryption block specified
	# ...
}

Secure Example

The following example will pass the GCP002 check.

resource "google_storage_bucket" "my-bucket" {
	encryption {}	
}

resource "google_storage_bucket" "my-bucket" {
	encryption {
		default_kms_key_name = "my-key"
	}	
}