Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

MEDIUM

Description

Description:

It is recommended that the IAM policy on Cloud KMS 'cryptokeys' should restrict anonymous and/or public access.

Rationale:

Granting permissions to 'allUsers' or 'allAuthenticatedUsers' allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS 'cryptokey' is not allowed.

Removing the binding for 'allUsers' and 'allAuthenticatedUsers' members denies accessing 'cryptokeys' to anonymous or public users.

Remediation

From Google Cloud CLI

List all Cloud KMS 'Cryptokeys'.

gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

Remove IAM policy binding for a KMS key to remove access to 'allUsers' and 'allAuthenticatedUsers' using the below command.

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

Policy Details

Rule Reference ID: AC_GCP_0313

CSP: GCP

Remediation Available: No

Domain: Data Protection

Resource: google_kms_crypto_key

Resource Category: Management

Resource Type: Cloud Key Management

Frameworks

CIS Google Cloud Platform Foundations v2.0.0 Level 1
CIS Google Cloud Platform Foundations v1.3.0 Level 1
CSCv8
NIST-800-53
NIST-800-171
NIST-CSF
GDPR
HIPAA
ISO-27001
CSCv7
CIS Google Cloud Platform Foundations v1.2.0 Level 1

Detections

Analytics