Cloud KMS cryptokeys should restrict anonymous and/or public access
Description
It is recommended that the IAM policy on Cloud KMS cryptokeys
should restrict anonymous and/or public access.
Rationale
Granting permissions to allUsers
or allAuthenticatedUsers
allows anyone to access the
dataset. Such access might not be desirable if sensitive data is stored at the location. In this
case, ensure that anonymous and/or public access to a Cloud KMS cryptokey
is not
allowed.
Default Value
By default Cloud KMS does not allow access to allUsers
or allAuthenticatedUsers
.
Impact
Removing the binding for allUsers
and allAuthenticatedUsers
members denies anonymous and public users access to cryptokeys
.
key_ring_name
is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING
You can retrieve the key ring resource ID using the Cloud Console:
- Open the Cryptographic Keys page in the Cloud Console.
- For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).
- Click Copy Resource ID. The resource ID for the key ring is copied to your clipboard.
key_name
is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY
You can retrieve the key resource ID using the Cloud Console:
- Open the Cryptographic Keys page in the Cloud Console.
- Click the name of the key ring that contains the key.
- For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).
- Click Copy Resource ID. The resource ID for the key ring is copied to your clipboard.
role
is the role to remove the member from.
Finding Notes
Findings may be inconsistent while gcloud kms keyrings get-iam-policy
is implemented.
List all Cloud KMS Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
Ensure the below command’s output does not contain allUsers
or allAuthenticatedUsers
.
gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'
From the command line
- List all Cloud KMS
Cryptokeys
.gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
- To remove access to
allUsers
and allAuthenticatedUsers
, remove the IAM policy binding for a KMS key using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
References
- https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding
- https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy
- https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy
- https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id