Control: 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
Description
It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.
Remediation
From Google Cloud CLI
- List all Cloud KMS
Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
- Remove IAM policy binding for a KMS key to remove access to
allUsersandallAuthenticatedUsersusing the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
Default Value
By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v400_1_9Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v400_1_9 --shareSQL
This control uses a named query:
with public_keys as ( select distinct self_link from gcp_kms_key, jsonb_array_elements(iam_policy -> 'bindings') as b where b -> 'members' ?| array['allAuthenticatedUsers', 'allUsers'])select k.self_link as resource, case when p.self_link is null then 'ok' else 'alarm' end as status, case when p.self_link is null then title || ' in ' || k.key_ring_name || ' key ring not publicly accessible.' else title || ' in ' || k.key_ring_name || ' key ring publicly accessible.' end as reason , location as location, project as projectfrom gcp_kms_key kleft join public_keys p on k.self_link = p.self_link;