Ensures that cryptographic keys have the desired protection.
Risk Level: Medium
Description
This plugin ensures that cryptographic keys are protected to the same level as or higher than the needed level of security. The encryption level specifies how cryptographic processes are carried out. Cloud KMS cryptographic keys should have their protection level set according to your security requirements. For more information, read here.
About the Service
Google Cloud Key Management Service (KMS):
The Google Cloud Key Management Service (KMS) allows you to manage your encryption keys in the cloud. You can use this service to create, rotate, utilize, and remove keys. To produce a key and assure its security, Google employs a number of cryptographic algorithms. Users can then perform operations on Google Cloud services and data based on their role and the access granted to them. To know more, read here.
Impact
If an encryption key does not have the desired protection level, it makes it vulnerable to security breaches and increases the risk of attacks. This could jeopardize the data and services on the Google Cloud Platform that are protected by this key.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select your desired GCP project.
- From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
- In the KEY RINGS tab, select the key ring you want to verify from the list of key rings available.
- In the list of keys present in the selected key ring, check if any of them have a protection level apart from customer-managed encryption keys (CMEK), customer-managed HSM encryption key (HSM), or imported or externally managed key (EXTERNAL). If keys are present with other protection levels, those keys do not have the desired encryption.
- If you have multiple key rings, repeat steps 4 and 5 for each key ring in your GCP Console
Steps for Remediation
Make the necessary changes to ensure the keys have the desired encryption by following the steps outlined below.
Note: Since a key’s protection level cannot be changed after creating it, you must create a new key to replace the one with a low encryption level.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select your desired GCP project.
- From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
- In the KEY RINGS tab, select the key ring you want to verify from the list of key rings available. (In case you aren’t sure which key ring needs to be configured, follow the steps to reproduce listed above to determine which key ring to choose.)
- Select the desired key from the list of keys in the chosen key ring and note down the details to recreate it.
- Click on the CREATE KEY button found on the top navigation bar.
- Fill in the desired details and select the desired level of protection for the key from the Protection level dropdown list. Click create to recreate the key.
- Repeat steps 5 to 7 for all the keys you want to recreate in the selected key ring.
- If you have multiple key rings, repeat steps 4 to 8 for each key ring you want to recreate in your GCP console.