SYM_CONF_0204 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Dataproc cluster is not configured to use a customer-managed encryption key (CMEK) for encrypting data at rest. This means Google Cloud's default keys are used instead of your own keys, reducing your control over data protection.
Impact
Without customer-managed encryption keys, sensitive data stored in the cluster could be accessed if Google's default keys are compromised or subpoenaed. This may lead to unauthorized data exposure and non-compliance with organizational or regulatory requirements.