SYM_CONF_0221 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Spanner database is not configured to use a customer-managed encryption key (CMEK) for data encryption. This means Google Cloud manages the encryption keys instead of your organization, reducing control over data security.
Impact
Without customer-managed keys, your organization has less control over who can access encrypted data. If Google's keys are compromised or misused, sensitive data in the Spanner database could be exposed, increasing the risk of unauthorized access or regulatory non-compliance.