Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.The built-in/predefined IAM role Cloud KMS Admin allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s). The built-in/predefined IAM role Cloud KMS CryptoKey Decrypter allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s). Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice. No user(s) should have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at the same time

Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.26
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamUser should not have roles contain [ id='roles/cloudkms.admin' ] and roles contain-any [ id='roles/cloudkms.cryptoKeyEncrypterDecrypter' or id='roles/cloudkms.cryptoKeyEncrypter' or id='roles/cloudkms.cryptoKeyDecrypter' ]

REMEDIATION

From Portal

  1. Go to IAM & Admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. For any member having Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles granted/assigned, click the Delete Bin icon to remove the role from the member.

From Command Line

  1. To list all users and role assignments
gcloud projects get-iam-policy PROJECT_ID
  1. Ensure that there are no common users found in the member section for roles cloudkms.admin and any one of Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles then update the policy;
gcloud projects set-iam-policy PROJECT_ID iam.json

From Terraform
For following resources, make sure for any member having values in argument-role = role='roles/cloudkms.admin' should not have another argument-role with any of these value-'roles/cloudkms.cryptoKeyEncrypterDecrypter', 'roles/cloudkms.cryptoKeyEncrypter', 'roles/cloudkms.cryptoKeyDecrypter'

Resources you have;
google_project_iam_binding
google_project_iam_member
Argument: role.
make sure that you don't have 'roles/cloudkms.admin' and any one of 'roles/cloudkms.cryptoKeyEncrypterDecrypter' or 'roles/cloudkms.cryptoKeyEncrypter' or 'roles/cloudkms.cryptoKeyDecrypter' set to a single member while creating template.

resource "google_project_iam_binding" "project"{
	project = "your-project-id"
	role    = "roles/cloudkms.admin"
	
	
	members = [
	"user:[email protected]", ]
}

similarly for 'google_project_iam_member' as well.

resource "google_project_iam_member" "project" {
	project = "your-project-id"
	role    = "roles/cloudkms.admin"
	member  = "user:[email protected]"
}

References

  1. https://cloud.google.com/kms/docs/separation-of-duties
  2. https://workbench.cisecurity.org/sections/507169/recommendations/827555
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

GCP IAM User

An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP NIST 800-53 Rev 5