alloydb_cluster_encrypted_with_cmkalloydb_instance_log_error_verbosity_database_flag_default_or_stricteralloydb_instance_log_min_error_statement_database_flag_configuredalloydb_instance_log_min_messages_database_flag_errorapp_engine_application_iap_enabledaudit_logging_configured_for_all_servicebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_dataset_restrict_gmailbigquery_dataset_restrict_googlegroupsbigquery_table_encrypted_with_cmkcloudfunction_function_no_deployments_manager_permissioncloudfunction_function_no_disrupt_logging_permissioncloudfunction_function_no_ingress_settings_allow_allcloudfunction_function_restrict_public_accesscloudfunction_function_restricted_permissioncloudfunction_function_vpc_connector_enabledcloudrun_service_restrict_public_accesscompute_backend_bucket_no_dangling_storage_bucketcompute_disk_encrypted_with_cskcompute_external_backend_service_iap_enabledcompute_firewall_allow_connections_proxied_by_iapcompute_firewall_allow_tcp_connections_proxied_by_iapcompute_firewall_default_rule_restrict_ingress_access_except_http_and_httpscompute_firewall_rule_ingress_access_restricted_to_dns_port_53compute_firewall_rule_ingress_access_restricted_to_ftp_port_21compute_firewall_rule_ingress_access_restricted_to_http_port_80compute_firewall_rule_ingress_access_restricted_to_microsoft_ds_port_445compute_firewall_rule_ingress_access_restricted_to_mongo_db_port_27017compute_firewall_rule_ingress_access_restricted_to_mysql_db_port_3306compute_firewall_rule_ingress_access_restricted_to_netbios_snn_port_139compute_firewall_rule_ingress_access_restricted_to_oracle_db_port_1521compute_firewall_rule_ingress_access_restricted_to_pop3_port_110compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10250compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10255compute_firewall_rule_ingress_access_restricted_to_postgresql_port_5432compute_firewall_rule_ingress_access_restricted_to_smtp_port_25compute_firewall_rule_ingress_access_restricted_to_tcp_port_137_to_139compute_firewall_rule_ingress_access_restricted_to_tcp_port_27017_to_27019compute_firewall_rule_ingress_access_restricted_to_tcp_port_61620_61621compute_firewall_rule_ingress_access_restricted_to_tcp_port_636compute_firewall_rule_ingress_access_restricted_to_tcp_port_6379compute_firewall_rule_ingress_access_restricted_to_tcp_port_7000_7001compute_firewall_rule_ingress_access_restricted_to_tcp_port_7199compute_firewall_rule_ingress_access_restricted_to_tcp_port_8888compute_firewall_rule_ingress_access_restricted_to_tcp_port_9042compute_firewall_rule_ingress_access_restricted_to_tcp_port_9090compute_firewall_rule_ingress_access_restricted_to_tcp_port_9160compute_firewall_rule_ingress_access_restricted_to_tcp_port_9200_9300compute_firewall_rule_ingress_access_restricted_to_tcp_udp_port_11211compute_firewall_rule_ingress_access_restricted_to_tcp_udp_port_11214_to_11215compute_firewall_rule_ingress_access_restricted_to_tcp_udp_port_2483_to_2484compute_firewall_rule_ingress_access_restricted_to_tcp_udp_port_389compute_firewall_rule_ingress_access_restricted_to_telnet_port_23compute_firewall_rule_logging_enabledcompute_firewall_rule_rdp_access_restrictedcompute_firewall_rule_restrict_ingress_allcompute_firewall_rule_restrict_ingress_all_with_no_specific_targetcompute_firewall_rule_ssh_access_restrictedcompute_https_load_balancer_logging_enabledcompute_instance_block_project_wide_ssh_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_no_data_destruction_permissioncompute_instance_no_database_write_permissioncompute_instance_no_deployments_manager_permissioncompute_instance_no_disrupt_logging_permissioncompute_instance_no_iam_write_permissioncompute_instance_no_service_account_impersonate_permissioncompute_instance_no_write_permission_on_deny_policycompute_instance_oslogin_enabledcompute_instance_preemptible_termination_disabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_template_ip_forwarding_disabledcompute_instance_with_custom_metadatacompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_instance_wth_no_high_level_basic_rolecompute_network_auto_create_subnetwork_enabledcompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_network_dns_logging_enabledcompute_ssl_policy_with_no_weak_ciphercompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_target_https_proxy_quic_protocol_enabledcompute_target_https_proxy_quic_protocol_no_default_ssl_policycompute_target_https_uses_latest_tls_versiondataproc_cluster_encryption_with_cmekdns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_api_key_age_90iam_api_key_restricts_apisiam_api_key_restricts_websites_hosts_appsiam_service_account_gcp_managed_keyiam_service_account_key_age_100iam_service_account_key_age_90iam_service_account_without_admin_privilegeiam_user_denylist_publiciam_user_kms_separation_of_duty_enforcediam_user_not_assigned_service_account_user_role_project_leveliam_user_separation_of_duty_enforcediam_user_uses_corporate_login_credentialskms_key_not_publicly_accessiblekms_key_rotated_within_100_daykms_key_rotated_within_90_daykms_key_separation_of_duties_enforcedkms_key_users_limited_to_3kubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_authorization_enabledkubernetes_cluster_client_certificate_authentication_enabledkubernetes_cluster_dashboard_disabledkubernetes_cluster_database_encryption_enabledkubernetes_cluster_http_load_balancing_enabledkubernetes_cluster_incoming_traffic_open_to_allkubernetes_cluster_intra_node_visibility_enabledkubernetes_cluster_kubernetes_alpha_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_logging_enabledkubernetes_cluster_master_authorized_networks_config_enabledkubernetes_cluster_monitoring_enabledkubernetes_cluster_network_policy_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_default_networkkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_node_no_default_service_accountkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_private_nodes_configuredkubernetes_cluster_release_channel_configuredkubernetes_cluster_service_account_defaultkubernetes_cluster_shielded_instance_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_subnetwork_private_ip_google_access_enabledkubernetes_cluster_use_ip_aliaseskubernetes_cluster_with_less_than_three_node_auto_upgrade_enabledkubernetes_cluster_with_resource_labelskubernetes_cluster_zone_redundantlogging_bucket_retention_policy_enabledlogging_metric_alert_audit_configuration_changeslogging_metric_alert_custom_role_changeslogging_metric_alert_firewall_rule_changeslogging_metric_alert_network_changeslogging_metric_alert_network_route_changeslogging_metric_alert_project_ownership_assignmentlogging_metric_alert_sql_instance_configuration_changeslogging_metric_alert_storage_iam_permission_changeslogging_sink_configured_for_all_resourcemanual_controlorganization_essential_contacts_configuredproject_access_approval_settings_enabledproject_no_api_keyproject_oslogin_enabledproject_service_cloudasset_api_enabledproject_service_container_scanning_api_enabledsql_instance_automated_backups_enabledsql_instance_mysql_binary_log_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_not_open_to_internetsql_instance_not_publicly_accessiblesql_instance_postgresql_cloudsql_pgaudit_database_flag_enabledsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_error_verbosity_database_flag_default_or_strictersql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_database_flag_configuredsql_instance_postgresql_log_min_messages_database_flag_errorsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_database_flag_ddlsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_3625_trace_database_flag_onsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_connections_database_flag_configuredsql_instance_sql_user_options_database_flag_not_configuredsql_instance_with_labelssql_instance_with_no_public_ipsstorage_bucket_bucket_policy_only_enabledstorage_bucket_log_not_publicly_accessiblestorage_bucket_log_object_versioning_enabledstorage_bucket_log_retention_policy_enabledstorage_bucket_log_retention_policy_lock_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_uniform_access_enabled
Query: kms_key_users_limited_to_3
Usage
powerpipe query gcp_compliance.query.kms_key_users_limited_to_3Steampipe Tables
SQL
with public_keys as ( select distinct self_link from gcp_kms_key, jsonb_array_elements(iam_policy -> 'bindings') as b where b -> 'members' ?| array['allAuthenticatedUsers', 'allUsers']), key_members_count as ( select distinct self_link, jsonb_array_length(b -> 'members') as members_count from gcp_kms_key, jsonb_array_elements(iam_policy -> 'bindings') as b)select k.self_link as resource, case when p.self_link is not null then 'alarm' when c.members_count > 3 then 'alarm' else 'ok' end as status, case when p.self_link is not null then title || ' in ' || k.key_ring_name || ' key ring publicly accessible.' when c.members_count is null then title || ' has no user.' else title || ' has ' || (c.members_count) || ' user(s).' end as reason , location as location, project as projectfrom gcp_kms_key k left join public_keys p on k.self_link = p.self_link left join key_members_count as c on c.self_link = k.self_link;
Controls
The query is being used by the following controls: