Unencrypted storage bucket.
Explanation
Google storage buckets should have an encryption
block to ensure that the data is encrypted at rest.
When specifying an encryption
block, by not including the optional default_kms_key_name
you are deferring to Google Provided Encryption.
Insecure Example
The following example will fail the GCP002 check.
resource "google_storage_bucket" "my-bucket" {
# ...
# no encryption block specified
# ...
}
Secure Example
The following example will pass the GCP002 check.
resource "google_storage_bucket" "my-bucket" {
encryption {}
}
resource "google_storage_bucket" "my-bucket" {
encryption {
default_kms_key_name = "my-key"
}
}