SYM_CONF_0172 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
This code creates a Google Pub/Sub topic in Terraform without specifying a customer-managed encryption key (CMEK). As a result, the topic will use default Google-managed encryption instead of your own keys, reducing control over data protection.
Impact
If not properly encrypted with a customer-managed key, sensitive messages published to this topic could be less secure, increasing the risk of unauthorized access or exposure. This limits your ability to manage key rotation, revoke access, or comply with strict security and regulatory requirements.