Skip to main content

lacework-global-238

1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible (Automated)

Profile Applicability

• Level 1

Description

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

Rationale

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.

Impact

Removing the binding for allUsers and allAuthenticatedUsers members denies accessing cryptokeys to anonymous or public users.

Audit

From Command Line:

  1. List all Cloud KMS Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
  1. Ensure the below command's output does not contain allUsers or allAuthenticatedUsers.
gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'

Remediation

From Command Line:

  1. List all Cloud KMS Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
  1. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

References

https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding
https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy
https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy
https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id

Additional Information

[key_ring_name] : Is the resource ID of the key ring, which is the fully-qualified Key ring name. This value is case-sensitive and in the form: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING

You can retrieve the key ring resource ID using the Cloud Console:

  1. Open the Cryptographic Keys page in the Cloud Console.
  2. For the key ring whose resource ID you are retrieving, click the More icon (3 vertical dots).
  3. Click Copy Resource ID. The resource ID for the key ring is copied to your clipboard.

[key_name] : Is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the form: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY

You can retrieve the key resource ID using the Cloud Console:

  1. Open the Cryptographic Keys page in the Cloud Console.
  2. Click the name of the key ring that contains the key.
  3. For the key whose resource ID you are retrieving, click the More icon (3 vertical dots).
  4. Click Copy Resource ID. The resource ID for the key is copied to your clipboard.

[role] : The role to remove the member from.