📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢

• Contextual name: 📝 Crypto Key is anonymously or publicly accessible 🟠🟢
• ID: /ce/ca/google/kms/kms-cryptokey-access
• Located in: 📁 Google KMS

Flags

• 🟢 Impossible policy
• 🟢 Policy with categories
• 🟠 Policy with internal.md
• 🟢 Policy with type

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Publicly Accessible Cloud KMS Keys

Internal Notes 🟠

Open File

Relationship type: many-to-many

IAM Policy Binding.Name = CryptoKey.CA10__name__c

We cannot do this check automatically.

1. List all Cloud KMS Cryptokeys.

    gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

    gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

Description

Open File

Description

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

Rationale

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.

Impact

Removing the binding for allUsers and allAuthenticatedUsers members denies accessing cryptokeys to anonymous or public users.

Audit

From Google Cloud CLI

1. List all Cloud KMS Cryptokeys.

   gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

2. Ensure the below command's output does not contain allUsers or allAuthenticatedUsers.

   gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'

Default Value

By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.

... see more

Remediation

Open File

Remediation

From Google Cloud CLI

1. List all Cloud KMS Cryptokeys.

   gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

   gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'

   gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v1.2.0 → 💼 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible - Level 1 (Automated)			1
💼 CIS GCP v1.3.0 → 💼 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)			1
💼 CIS GCP v2.0.0 → 💼 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)			1
💼 CIS GCP v3.0.0 → 💼 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			77
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	64
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			13
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	53
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			12
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			12
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			13
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		53
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			12
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	26
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	30
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	23
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	21
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	52
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			88
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			66
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	34
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			13
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	46
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		12
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	35
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			35
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			35
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	35
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			35
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	35
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	21
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	26