Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: Ensure that Separation of duties is enforced while assigning KMS related roles to users

Description

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.kms_key_separation_of_duties_enforced

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.kms_key_separation_of_duties_enforced --share

SQL

This control uses a named query:

with users_with_roles as (
  select
    distinct split_part(member_entity, ':', 2) as user_name,
    project,
    _ctx,
    array_agg(distinct p ->> 'role') as assigned_roles
  from
    gcp_iam_policy,
    jsonb_array_elements(bindings) as p,
    jsonb_array_elements_text(p -> 'members') as member_entity
  where
    split_part(member_entity, ':', 1) = 'user'
  group by
    user_name,
    project,
    _ctx
),
kms_roles_users as (
  select
    user_name,
    project,
    assigned_roles
  from
    users_with_roles
  where
    'roles/cloudkms.admin' = any(assigned_roles)
    and assigned_roles && array['roles/cloudkms.cryptoKeyEncrypterDecrypter', 'roles/cloudkms.cryptoKeyEncrypter', 'roles/cloudkms.cryptoKeyDecrypter']
)
select
  distinct r.user_name as resource,
  case
    when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then 'ok'
    when k.user_name is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then r.user_name || ' assigned only with KMS admin role.'
    when k.user_name is not null then r.user_name || ' assigned with roles/cloudkms.admin, ' ||
      concat_ws(', ',
        case when 'roles/cloudkms.cryptoKeyEncrypterDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypterDecrypter' end,
        case when 'roles/cloudkms.cryptoKeyEncrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypter' end,
        case when 'roles/cloudkms.cryptoKeyDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyDecrypter' end
        ) || ' KMS role(s).'
    else r.user_name || ' not assigned with KMS admin and additional encrypter/decrypter roles.'
  end as reason
  , r.project as project
from
  users_with_roles as r
  left join kms_roles_users as k on k.user_name = r.user_name and k.project = r.project

Tags

category = Compliance
hipaa = true
nist_800_53_rev_5 = true
nist_csf_v10 = true
nist_csf_v2 = true
plugin = gcp
service = GCP/KMS
soc_2_2017 = true