Is it useful to encrypt Terraform state stored on a remote backend (like GCS bucket)?

Question

I'm using Terraform to manage Google Cloud Platform (GCP) resources. I use Google Cloud Storage backend to store the state file. GCP provides a managed Key Management Service, therefore it is possible to manage keys and easily enable encryption on a bucket with those keys. So I'm using the following to encrypt my backend bucket (test-terraform-state, this bucket will only contain Terraform state).

variable my-project {}
variable my-region {}

provider "google" {
  project = "${var.my-project}"
  region  = "${var.my-region}"
  version = "1.19.1"
}

resource "google_kms_key_ring" "test-terraform-state" {
  name     = "test-terraform-state"
  location = "${var.my-region}"
}

resource "google_kms_crypto_key" "test-terraform-state-bucket" {
  name            = "test-terraform-state-bucket"
  key_ring        = "${google_kms_key_ring.test-terraform-state.self_link}"
  rotation_period = "86400s"

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_storage_bucket" "test-terraform-state" {
  name = "test-terraform-state"

  location      = "${var.my-region}"
  storage_class = "REGIONAL"

  versioning {
    enabled = true
  }

  encryption {
    default_kms_key_name = "${google_kms_crypto_key.test-terraform-state-bucket.self_link}"
  }
}

So my question is : bucket contents (Terraform state(s) here) can be encrypted, but is it really useful? If there are policies on the bucket, something like "only some users can access it (read/write)", is adding encryption have benefits? I only see here an extra layer of security (necessary?), because people will need access to this bucket + role roles/cloudkms.cryptoKeyEncrypterDecrypter to access the contents. But I think I'm missing some use-cases justifying Terraform state encryption.

ydaetskcoR · Accepted Answer · 2018-11-30T15:25:58.473

1

I don't know enough about GCP but in AWS it's pretty typical to give reasonably wide read permissions to unprivileged users/roles with many users given the AWS managed ReadOnly policy that allows reading everything, including getting objects from every bucket.

Encrypting the state file with a specific KMS key that unprivileged users don't get decrypt access provides an extra way of controlling access to the state files and the potentially sensitive information in them.

Even if this isn't the case in GCP it still provides another layer of security on the off chance things change and someone unprivileged is accidentally given wide read permissions on your state file bucket.

As an extra AWS specific thing buckets aren't encrypted at rest by default (not an issue with Google Cloud Storage as it is encrypted at rest by default) so it would technically be possible for an improperly disposed of disk to have data read off it including any state file secrets.

edited Nov 30 '18 at 15:25

answered Nov 30 '18 at 13:59

ydaetskcoR

53,225
8
158
177

Thanks for the explanation! By the way, I did not know data on Google Cloud Storage was encrypted by default. Thanks also for reminding me that if someone gets accidental access to the bucket, he could read all **sensitive data** stored in the Terraform state. That point is enough to make me think that encrypting remote state is useful. – norbjd Nov 30 '18 at 14:12
2

The bit about using KMS keys as _an extra way of controlling access_ isn't possible. During the process of binding a KMS key to a GCS bucket, you grant a GCS service account privileges to use that key for encryption and decryption on behalf of all GCS callers. https://cloud.google.com/storage/docs/encryption/customer-managed-keys – bdhess Nov 30 '18 at 16:14
@bdhess If you can expand on that and what benefits there really are to using customer managed KMS keys to encrypt the state files (potentially contain secrets in plain text) if you know GCP more than I do then that would be great. I was under the impression that service accounts are the equivalent of AWS IAM roles in which case that would still be beneficial as described but if I'm wrong and you have a better/more complete answer then I'd be happy to delete this answer as the question was GCP focused. – ydaetskcoR Nov 30 '18 at 19:02
I found some links[1](https://cloud.google.com/blog/products/gcp/focus-on-security-bigquery-announces-support-for-customer-managed-encryption-keys-and-custom-roles-for-identity-access-and-management),[2](https://cloud.google.com/iam/docs/creating-managing-service-account-keys),[3](https://cloud.google.com/kms/docs/secret-management) where it provided some interesting approaches on managing 'Service Account Keys','Secret management with Cloud KMS' etc.. – Digil Dec 07 '18 at 15:25

Is it useful to encrypt Terraform state stored on a remote backend (like GCS bucket)?

1 Answers1