Ensure GCP Vertex AI Metadata Store uses a Customer Manager Key (CMK)

Error: GCP Vertex AI Metadata Store does not use a Customer Manager Key (CMK)

Bridgecrew Policy ID: BC_GCP_GENERAL_25
Checkov Check ID: CKV_GCP_96
Severity: LOW

GCP Vertex AI Metadata Store does not use a Customer Manager Key (CMK)

Description

This policy identifies Vertex AI Metadata Stores which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer-managed KMS Keys to encrypt your Vertex AI Metadata Store data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

  • Resource: google_vertex_ai_metadata_store
  • Arguments: region.encryption_spec.kms_key_name
resource "google_vertex_ai_metadata_store" "pass" {
  name        = "test-store"
  description = "Store to test the terraform module"
  region      = "us-central1"
     encryption_spec {
         kms_key_name=google_kms_crypto_key.example.name
     }
}