- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
It is recommended that the IAM policy on Cloud KMS cryptokeys
should restrict anonymous and/or public access.
Granting permissions to allUsers
or allAuthenticatedUsers
allows anyone to access the
dataset. Such access might not be desirable if sensitive data is stored at the location. In this
case, ensure that anonymous and/or public access to a Cloud KMS cryptokey
is not
allowed.
By default Cloud KMS does not allow access to allUsers
or allAuthenticatedUsers
.
Removing the binding for allUsers
and allAuthenticatedUsers
members denies anonymous and public users access to cryptokeys
.
key_ring_name
is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING
You can retrieve the key ring resource ID using the Cloud Console:
key_name
is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY
You can retrieve the key resource ID using the Cloud Console:
role
is the role to remove the member from.
Findings may be inconsistent while gcloud kms keyrings get-iam-policy
is implemented.
List all Cloud KMS Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
Ensure the below command’s output does not contain allUsers
or allAuthenticatedUsers
.
gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'
Cryptokeys
.gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
allUsers
and allAuthenticatedUsers
, remove the IAM policy binding for a KMS key using the below command.gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'