Google Cloud IAM

Users with Admin and CryptoKey Roles

Risk Level: Low

Description

This plugin guarantees that no clients have the KMS administrator job and any of the CryptoKey jobs. It guarantes that no clients have the KMS administrator job and any of the CryptoKey jobs follow the detachment of obligations, where no client ought to approach assets out of the extent of the obligation.

About the Service

Google Cloud IAM:

IAM, which is an acronym for Identity and Access Management, is the Google Cloud policy. This policy is responsible for specifying access controls for Google Cloud resources. Basically, IAM allows heads to approve who can make a move on explicit assets, giving you full control and permeability to oversee Google Cloud assets halfway. For undertakings with complex hierarchical designs, many workgroups, and many activities, IAM gives a bound together view into security strategy across your whole association, with worked in evaluating to ease consistency processes. For more information, click here.

Impact

A service account is an account for an application or compute workload instead of an individual end-user. When you run code that's hosted on Google Cloud, the code runs as the account you specify. You can create as many service accounts as needed to represent the different logical components of your application. For more information about using a service account in your application, see Getting started with authentication. This plugin ensures that no users have the KMS admin role and any one of the CryptoKey roles. Ensuring that no users have the KMS admin role and any one of the CryptoKey roles follows the separation of duties, where no user should have access to resources out of the scope of duty.

Steps To Reproduce

Using GCP Console-

In order to ensure that, no service accounts have both the KMS admin role and any of CryptoKey roles attached, in GCP Projects, follow the steps given below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
     
  4. Under IAM & Admin section, click on the IAM button. Thence, a new IAM Page will appear on the screen.
  5. Click on the Permission tab present at the top.
  6. A list of all the Principals will appear on the screen. Now, click on the Roles option present under the View By category.
  7. A list will appear. You can find the Role/Principal Column in the list. Check if it contains any service account(s) having both the KMS admin role and any of CryptoKey roles attached, as shown in the figure below.
  8. This means that IAM accounts have KMS admin role and one or more CryptoKey roles attached to them.
  9. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other GCP organizations deployed within your record.

Steps For Remediation


Using GCP Console-


In order to reconfigure the service accounts so as to ensure that no users have the KMS admin role and any one of the CryptoKey roles, follow the below-mentioned steps:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
     
  4. Under IAM & Admin section, click on the IAM button. Thence, a new IAM Page will appear on the screen.
  5. Click on the Permission tab present at the top.
  6. A list of all the Principals will appear on the screen. Now, click on the Roles option present under the View By category.
  7. A list will appear. You can find the Role/Principal Column in the list. Check if it contains any service account(s) having both the KMS admin role and any of CryptoKey roles attached, as shown in the figure below.
  8. This means that IAM accounts have KMS admin role and one or more CryptoKey roles attached to them. Thus, you need to delete such service accounts/principals.
  9. Now, go to the Service Accounts section under IAM.
     
  10. Click on the Create Service Account option present at the top navigation bar.
  11. A new Create Service Account Page will appear on the screen. Enter the necessary details under the Service Account details step. Then click on the Create and Continue button.
  12. Under the Grant this service account access to the project step, click on the select a role option to open up the dropdown menu.
  13. Now, while selecting the role ensure that no users have the KMS admin role and any one of the CryptoKey roles. Then click on the Continue button.
  14. Click on the Done button present at the bottom to creat a new service account, then go back to the previous page.
  15. You may repeat the above steps for other GCP Projects under your organization.