📝 Google IAM Roles related to KMS are not assigned to separate users 🟢

• Contextual name: 📝 Roles related to KMS are not assigned to separate users 🟢
• ID: /ce/ca/google/iam/kms-related-roles-to-users
• Located in: 📁 Google IAM

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Enforce Separation of Duties for KMS-Related Roles

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google User
  • 🔌 Google IAM Policy Binding - object.extracts.yaml
  • 🔌 Google IAM Role - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

Rationale

The built-in/predefined IAM role Cloud KMS Admin allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).

The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s). The built-in/predefined IAM role Cloud KMS CryptoKey Decrypter allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).

Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to IAM & Admin/IAM using https://console.cloud.google.com/iam-admin/iam
2. For any member having Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles granted/assigned, click the Delete Bin icon to remove the role from the member.

Note: Removing a role should be done based on the business requirement.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			9