Control: 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
Description
It is recommended that the IAM policy on Cloud KMS cryptokeys
should restrict anonymous and/or public access.
Granting permissions to allUsers
or allAuthenticatedUsers
allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey
is not allowed.
Remediation
From Command Line
List all Cloud KMS Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'Remove IAM policy binding for a KMS key to remove access to
allUsers
andallAuthenticatedUsers
using the below command.gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] -- keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
Note: By default Cloud KMS does not allow access to allUsers
or allAuthenticatedUsers
.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v130_1_9
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v130_1_9 --share
SQL
This control uses a named query:
kms_key_not_publicly_accessible