🛡️ Google Project with KMS keys has a principal with Owner role🟢

Contextual name: 🛡️ Project with KMS keys has a principal with Owner role🟢
ID: /ce/ca/google/iam/kms-project-has-owner
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Google Project
- 🔌 Google Cloud KMS Crypto Key - object.extracts.yaml
- 🔌 Google IAM Role - object.extracts.yaml
- 🔌 Google Project - object.extracts.yaml
- 🔌 Google IAM Policy Binding - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Google Projects that contain one or more Cloud KMS cryptographic keys and have at least one principal (user, group, or service account) assigned the primitive roles/owner role.

Rationale

The roles/owner role is a highly privileged primitive role that grants full administrative access to all resources within a project, including Cloud KMS keys. This permission allows principals to create, delete, modify, and use keys for cryptographic operations such as encryption and decryption.

Assigning the Owner role in projects containing sensitive cryptographic keys violates the principle of least privilege and the security best practice of separation of duties. A single compromised Owner account could lead to the exposure, misuse, or destruction of sensitive encrypted data.

Audit

This policy flags a Google Project as INCOMPLIANT if it contains at least one Google Cloud KMS Crypto Key and has a related IAM Policy Binding with the roles/owner role.

Remediation

Open File

Remediation

From Google Cloud Console

Navigate to IAM & Admin - IAM: https://console.cloud.google.com/iam-admin/iam

Locate any principals (users, groups, or service accounts) assigned the Owner (roles/owner) role within the project.

Click the Delete Bin icon to remove the Owner role from the principal.

Assign a more granular role (e.g., roles/editor, roles/viewer, or a specific KMS-related predefined/custom role**) based on the user’s job responsibilities.

Note: Role removal should be performed carefully to ensure users retain the permissions necessary for their tasks.

From gcloud CLI
Remove the Owner role from the principal:
gcloud projects remove-iam-policy-binding {{project-id}} \
    --member="{{principal-type}}:{{principal-email}}" \
    --role="roles/owner"
Assign a least-privilege role appropriate for the principal’s responsibilities:
gcloud projects add-iam-policy-binding {{project-id}} \
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 Cloudaware Framework → 💼 User Account Management			19	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68	no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	57	no data
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		57	no data
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights		3	12	no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.2 Key management		9	12	no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	27	no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31	no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	24	no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	22	no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34	no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56	no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30	no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95	no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-6 LEAST PRIVILEGE	10	2	7	no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT	5	4	5	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	40	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			15	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	50	no data
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		13	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	56	no data
💼 PCI DSS v3.2.1 → 💼 3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.	4		1	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			56	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56	no data
💼 PCI DSS v4.0.1 → 💼 3.6.1 Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse.	3		1	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	56	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56	no data
💼 PCI DSS v4.0 → 💼 3.6.1 Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse.	3		1	no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36	no data
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	22	no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	27	no data

Logic​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

From Google Cloud Console​

From gcloud CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Audit

Remediation

Remediation

From Google Cloud Console

From gcloud CLI

policy.yaml

Linked Framework Sections