SYM_CONF_0191 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Artifact Registry repository is not configured to use a customer-managed encryption key (CMEK) for data encryption. This means sensitive data stored in the repository relies solely on default Google-managed keys, limiting your control over key management and rotation.
Impact
Without customer-managed encryption keys, you cannot enforce your own security policies for key access, rotation, or revocation. If Google's default keys are compromised or misused, attackers could potentially access or decrypt sensitive artifacts stored in the repository, increasing the risk of data exposure or regulatory non-compliance.