Control: Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
Description
It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.kms_key_not_publicly_accessibleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.kms_key_not_publicly_accessible --shareSQL
This control uses a named query:
with public_keys as ( select distinct self_link from gcp_kms_key, jsonb_array_elements(iam_policy -> 'bindings') as b where b -> 'members' ?| array['allAuthenticatedUsers', 'allUsers'])select k.self_link as resource, case when p.self_link is null then 'ok' else 'alarm' end as status, case when p.self_link is null then title || ' in ' || k.key_ring_name || ' key ring not publicly accessible.' else title || ' in ' || k.key_ring_name || ' key ring publicly accessible.' end as reason , location as location, project as projectfrom gcp_kms_key kleft join public_keys p on k.self_link = p.self_link;