SYM_CONF_0182 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Missing Encryption of Sensitive Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-311: Missing Encryption of Sensitive Data |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The VM boot disk is not configured to use customer-supplied encryption keys (CSEK) or a customer-managed KMS key, leaving sensitive data on the disk encrypted only with default Google-managed keys. This means you have less control over how your data is protected at rest.
Impact
If the VM boot disk isn't encrypted with your own keys, Google manages the disk encryption, which could expose sensitive data if their environment is compromised or if someone gains unauthorized access to your cloud account. Attackers or unauthorized insiders may access unprotected data, increasing the risk of data breaches and compliance violations.