turbot/steampipe-mod-gcp-compliance

Control: 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users

Description

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

The built-in/predefined IAM role Cloud KMS Admin allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).

The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s). The built-in/predefined IAM role Cloud KMS CryptoKey Decrypter allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).

Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.

No user(s) should have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at the same time.

Remediation

From Console

  1. Go to IAM & Admin/IAM using https://console.cloud.google.com/iam-admin/iam.
  2. For any member having Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles granted/assigned, click the Delete Bin icon to remove the role from the member.

Note: Removing a role should be done based on the business requirement.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_1_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_1_11 --share

SQL

This control uses a named query:

with users_with_roles as (
select
distinct split_part(member_entity, ':', 2) as user_name,
project,
_ctx,
array_agg(distinct p ->> 'role') as assigned_roles
from
gcp_iam_policy,
jsonb_array_elements(bindings) as p,
jsonb_array_elements_text(p -> 'members') as member_entity
where
split_part(member_entity, ':', 1) = 'user'
group by
user_name,
project,
_ctx
),
kms_roles_users as (
select
user_name,
project,
assigned_roles
from
users_with_roles
where
'roles/cloudkms.admin' = any(assigned_roles)
and assigned_roles && array['roles/cloudkms.cryptoKeyEncrypterDecrypter', 'roles/cloudkms.cryptoKeyEncrypter', 'roles/cloudkms.cryptoKeyDecrypter']
)
select
distinct r.user_name as resource,
case
when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then 'ok'
when k.user_name is not null then 'alarm'
else 'ok'
end as status,
case
when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then r.user_name || ' assigned only with KMS admin role.'
when k.user_name is not null then r.user_name || ' assigned with roles/cloudkms.admin, ' ||
concat_ws(', ',
case when 'roles/cloudkms.cryptoKeyEncrypterDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypterDecrypter' end,
case when 'roles/cloudkms.cryptoKeyEncrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypter' end,
case when 'roles/cloudkms.cryptoKeyDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyDecrypter' end
) || ' KMS role(s).'
else r.user_name || ' not assigned with KMS admin and additional encrypter/decrypter roles.'
end as reason
, r.project as project
from
users_with_roles as r
left join kms_roles_users as k on k.user_name = r.user_name and k.project = r.project

Tags