Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access. Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed. Impact Statement- Removing the binding for allUsers and allAuthenticatedUsers members denies accessing cryptokeys to anonymous or public users.

Risk Level: High
Cloud Entity: Cloud Key Management Service
CloudGuard Rule ID: D9.GCP.CRY.11
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

KmsKeyRing should not have (iamPolicy.bindings with [ members with ['allUsers'] or members with['allAuthenticatedUsers']]) or cryptoKeys with [ iamPolicy.bindings with [ members with ['allUsers'] or members with['allAuthenticatedUsers']]]

REMEDIATION

From Portal

  1. Go to Cloud Key Management Service (KMS) dashboard at https://console.cloud.google.com/security/kms.
  2. Select the GCP KMS key ring that you want to access.
  3. Choose the KEYS tab, select the active cryptographic key that you want to modify, then click on the SHOW INFO PANEL button to show the key permissions.
  4. In the info panel
    a) Select the 'PERMISSIONS' tab to access the key permissions.
    b) Turn off the Show inherited permissions option.
    c) Identify the member that you want to remove from the IAM policy attached to the selected KMS key, i.e. "allUsers" or "allAuthenticatedUsers", then click on the delete icon next to the member name to remove it.
    d) On the confirmation box, select the member that you want to discard, then click REMOVE to confirm the member removal.
  5. Repeat step no. 4 and 5 for each publicly accessible key available in the selected KMS key ring.
  6. Repeat steps no. 3-6 for each KMS key ring created within your Google cloud account.

From Command Line

  1. Run following command to remove 'allAuthenticatedUsers' from your key.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'

2.Run following command to remove 'allUsers' from your key.

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
  1. Repeat step no. 1 and 2 for each publicly accessible key deployed in the selected KMS key ring.
  2. Repeat steps no. 1-3 for each KMS key ring available within your Google cloud account.

From TF

  1. See below example templates. for Resources;
    a)google_kms_crypto_key_iam_member
    b)google_kms_crypto_key_iam_binding
    Make sure for the member property "allUsers" and "allAuthenticatedUsers" are NOT used.
resource "google_kms_crypto_key_iam_member" "bad_member_1" {
	...
	member        = "allUsers"
	...
}

resource "google_kms_crypto_key_iam_member" "bad_member_2" {
	...
	member        = "allAuthenticatedUsers"
	...
}

resource "google_kms_crypto_key_iam_binding" "bad_binding_1" {
	...
	members = [
	"allUsers",
	]
	...
}

resource "google_kms_crypto_key_iam_binding" "bad_binding_2" {
	...
	members = [
	"allAuthenticatedUsers",
	]
	...
}

References

  1. https://workbench.cisecurity.org/sections/507169/recommendations/827568
  2. https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam

Cloud Key Management Service

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. Cloud KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data that you need to store in Google Cloud Platform.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0