The GCP instance is not configured to use a customer-managed encryption key. The relevant Terraform resource does not set encryption_key_name, meaning encryption is handled using Google-managed keys rather than a Cloud KMS key controlled by the organisation.

While GCP provides default encryption at rest, relying only on Google-managed keys may not satisfy organisational, regulatory, or compliance requirements where explicit customer control over encryption keys is required. Without CMEK, the organisation loses direct control over key rotation, access governance, revocation, separation of duties, and key-level auditability.

This can increase the risk of non-compliance and reduce the organisation’s ability to respond effectively to suspected compromise, insider misuse, or changes in data protection requirements. Sensitive workloads, business-critical systems, analytics data, logs, or operational records should use customer-managed encryption keys where stronger key ownership and governance are required.

Remediation

Configure the GCP instance to use a customer-managed encryption key by setting encryption_key_name to the appropriate Cloud KMS key in the Terraform resource. Ensure the key is created and managed according to organisational key management standards, with appropriate IAM permissions, rotation policies, monitoring, and audit logging enabled. Infrastructure-as-code security tests should validate that sensitive GCP resources explicitly reference an approved CMEK before deployment.