Skip to main content

πŸ“ Google KMS Crypto Key is anonymously or publicly accessible 🟠🟒

  • Contextual name: πŸ“ Crypto Key is anonymously or publicly accessible 🟠🟒
  • ID: /ce/ca/google/kms/kms-cryptokey-access
  • Located in: πŸ“ Google KMS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Internal Notes πŸŸ β€‹

Open File

Relationship type: many-to-many

IAM Policy Binding.Name = CryptoKey.CA10__name__c

We cannot do this check automatically.

  1. List all Cloud KMS Cryptokeys.

     gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

  2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

     gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

Description​

Open File

Description​

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

Rationale​

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.

Impact​

Removing the binding for allUsers and allAuthenticatedUsers members denies accessing cryptokeys to anonymous or public users.

Audit​

From Google Cloud CLI​

  1. List all Cloud KMS Cryptokeys.

    gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

  2. Ensure the below command's output does not contain allUsers or allAuthenticatedUsers.

    gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'

Default Value​

By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.

... see more

Remediation​

Open File

Remediation​

From Google Cloud CLI​

  1. List all Cloud KMS Cryptokeys.

    gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

  2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

    gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'

    gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access24