lacework-global-238
1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible (Automated)
Profile Applicability
• Level 1
Description
It is recommended that the IAM policy on Cloud KMS cryptokeys
should restrict anonymous and/or public access.
Rationale
Granting permissions to allUsers
or allAuthenticatedUsers
allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey
is not allowed.
Impact
Removing the binding for allUsers
and allAuthenticatedUsers
members denies accessing cryptokeys
to anonymous or public users.
Audit
From Command Line:
- List all Cloud KMS
Cryptokeys
.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
- Ensure the below command's output does not contain
allUsers
orallAuthenticatedUsers
.
gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'
Remediation
From Command Line:
- List all Cloud KMS
Cryptokeys
.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
- Remove IAM policy binding for a KMS key to remove access to
allUsers
andallAuthenticatedUsers
using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
References
https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding
https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy
https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy
https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id
Additional Information
[key_ring_name] : Is the resource ID of the key ring, which is the fully-qualified Key ring name. This value is case-sensitive and in the form: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING
You can retrieve the key ring resource ID using the Cloud Console:
- Open the
Cryptographic Keys
page in the Cloud Console. - For the key ring whose resource ID you are retrieving, click the
More icon (3 vertical dots)
. - Click
Copy Resource ID
. The resource ID for the key ring is copied to your clipboard.
[key_name] : Is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the form: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY
You can retrieve the key resource ID using the Cloud Console:
- Open the
Cryptographic Keys
page in the Cloud Console. - Click the name of the key ring that contains the key.
- For the key whose resource ID you are retrieving, click the
More icon (3 vertical dots)
. - Click
Copy Resource ID
. The resource ID for the key is copied to your clipboard.
[role] : The role to remove the member from.