Google Cloud Key Management Service (KMS)
  1. CNS Policies
  2. GCP Knowledge Base
  3. Google Cloud Key Management Service (KMS)

Key Publicly Accessible

Ensures that the KMS keys are not accessible to the public.

Risk Level: High

Description

The access for the Google Cloud KMS resources is managed by IAM roles. This plugin ensures that all the “allAuthenticatedUsers” and “allUsers” IAM member bindings are removed so that the KMS keys do not have anonymous or public accessibility.

About the Service

Google Cloud Key Management Service (KMS):

The Google Cloud Key Management Service (KMS) allows you to manage your encryption keys in the cloud. You can use this service to create, rotate, utilize, and remove keys. To produce a key and assure its security, Google employs a number of cryptographic algorithms. Users can then perform operations on Google Cloud services and data based on their role and the access granted to them. To know more, read here

Impact

If “allAuthenticatedUsers” and “allUsers” are granted access to the KMS keys, all the users will be able to access the keys. As a result, the data's security and privacy are at risk. To ensure that the principle of least privilege is followed, the access permissions need to be given only to the required users.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
  4. In the KEY RINGS tab, select the key ring you want to verify from the list of key rings available.
  5. Choose the key you want to investigate in the KEYS tab of the selected key ring.
  6. Click on the SHOW INFO PANEL button, available on the right corner of the top bar, and go to the PERMISSIONS tab to see the permissions.
  7. Turn off the Show inherited permissions toggle bar.
  8. Set Role/Principal to allAuthenticatedUsers and allUsers in the Filter box as shown in the screenshot below.

    If one or more results are displayed, the selected key is publicly accessible.
  9. Repeat the above steps for all the other keys present in the selected key ring.
  10. If you have multiple key rings, repeat the steps for each key ring in your GCP Console

Steps for Remediation

Determine whether or not you truly require the keys to be publicly accessible. If not, make the necessary changes using the steps given below.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select your desired GCP project. 
  3. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
  4. In the KEY RINGS tab, select the key ring you want to verify from the list of key rings available. (In case you aren’t sure which key ring needs to be configured, follow the steps to reproduce listed above to determine which key ring to choose.)

  5. Choose the key you want to investigate in the KEYS tab of the selected key ring.
  6. Click on the SHOW INFO PANEL button, available on the right corner of the top bar, and go to the PERMISSIONS tab to see the permissions.
  7. Turn off the Show inherited permissions toggle bar.
  8. Set Role/Principal to allAuthenticatedUsers and allUsers in the Filter box as shown in the screenshot below.
  9. Click on the delete icon next to the member name you wish to delete. Click REMOVE in the confirmation pop-up box to confirm the deletion.
  10. Repeat steps 5 to 9 for all the keys you want to recreate in the selected key ring.
  11. If you have multiple key rings, repeat steps 4 to 10 for each key ring you want to recreate in your GCP console.