1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

Information

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

Rationale:

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.

Impact:

Removing the binding for allUsers and allAuthenticatedUsers members denies accessing cryptokeys to anonymous or public users.

Solution

From Google Cloud CLI

List all Cloud KMS Cryptokeys.

gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

Default Value:

By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.

See Also

https://workbench.cisecurity.org/benchmarks/11843

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: GCP

Control ID: 82fa3059f17782f891d4a573c4f86ebb3842dba59a565361db9ed1364f29b772