Skip to main content

πŸ›‘οΈ Google KMS Crypto Key is anonymously or publicly accessible🟠🟒βšͺ

Similar Policies​

Internal Notes πŸŸ β€‹

Open File

Relationship type: many-to-many

IAM Policy Binding.Name = CryptoKey.CA10__name__c

We cannot do this check automatically.

  1. List all Cloud KMS Cryptokeys.

    gcloud kms keys list \
        --keyring={{key-ring-name}} \
        --location=global \
        --format=json | jq '.[].name'

  2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

    gcloud kms keys remove-iam-policy-binding {{key-name}} \
        --keyring={{key-ring-name}} \
        --location=global \
        --member='allAuthenticatedUsers' \
        --role='{{role}}' gcloud kms keys remove-iam-policy-binding {{key-name}} \
        --keyring={{key-ring-name}} \
        --location=global \
        --member='allUsers' \
        --role='{{role}}'

Description​

Open File

Description​

It is recommended that IAM policies on Cloud KMS cryptokeys restrict anonymous or public access.

Rationale​

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the cryptokey. Such access might not be desirable if sensitive data is protected with that key. In this case, ensure that anonymous or public access to a Cloud KMS cryptokey is not allowed.

Impact​

Removing the binding for allUsers and allAuthenticatedUsers members denies access to cryptokeys for anonymous or public users.

Audit​

From Google Cloud CLI​

  1. List all Cloud KMS cryptokeys.

    gcloud kms keys list \
        --keyring={{key-ring-name}} \
        --location=global \
        --format=json | jq '.[].name'

  2. Ensure the below command's output does not contain allUsers or allAuthenticatedUsers.

    gcloud kms keys get-iam-policy {{key-name}} \
        --keyring={{key-ring-name}} \
        --location=global \
        --format=json | jq '.bindings[].members[]'

... see more

Remediation​

Open File

Remediation​

From Google Cloud CLI​

  1. List all Cloud KMS cryptokeys.

    gcloud kms keys list \
        --keyring={{key-ring-name}} \
        --location=global \
        --format=json | jq '.[].name'

  2. Remove the IAM policy bindings to revoke access for allUsers and allAuthenticatedUsers by running the following commands.

    gcloud kms keys remove-iam-policy-binding {{key-name}} \
        --keyring={{key-ring-name}} \
        --location=global \
        --member='allAuthenticatedUsers' \
        --role='{{role}}'
    gcloud kms keys remove-iam-policy-binding {{key-name}} \
        --keyring={{key-ring-name}} \
        --location=global \
        --member='allUsers' \
        --role='{{role}}'

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81179no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)17no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)679no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1127no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1024no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code822no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15559no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102372no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό MP-2 Media Access213no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1065no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.765no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.65no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-3 Restricts Logical Access122no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1327no data