Control: KMS key policies should prohibit public access
Description
This control checks whether Cloud KMS key policies allow public access through allUsers or allAuthenticatedUsers.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.kms_key_policy_prohibit_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.kms_key_policy_prohibit_public_access --shareSteampipe Tables
SQL
with public_bindings as ( select self_link, array_agg(distinct member) as public_members, count(*) as bindings_num from gcp_kms_key, jsonb_array_elements(iam_policy -> 'bindings') as binding, jsonb_array_elements_text(binding -> 'members') as member where member in ('allUsers', 'allAuthenticatedUsers') group by self_link ) select r.self_link as resource, case when (r.iam_policy -> 'bindings') is null then 'skip' when p.self_link is null then 'ok' else 'alarm' end as status, case when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.' when p.self_link is null then title || ' policy does not allow public access.' else title || ' policy contains ' || coalesce(p.bindings_num, 0) || ' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ') end as reason , location, project from gcp_kms_key as r left join public_bindings as p on p.self_link = r.self_link