Triage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the “KMS Cryptokeys Should Not Be Public” misconfiguration in GCP using the GCP console:
- Open the GCP console and navigate to the “Cloud KMS” page.
- Select the key ring that contains the public key that needs to be remediated.
- Click on the key that contains the public key that needs to be remediated.
- Click on the “Permissions” tab.
- Under the “Members” section, locate the user or group that has public access to the key.
- Click on the drop-down menu next to the user or group and select “Remove”.
- Click on the “Save” button to save the changes.
- Repeat steps 5-7 for any other users or groups that have public access to the key.
- Once all public access has been removed, click on the “IAM” tab.
- Check the IAM policies for the key and ensure that only authorized users or groups have access.
- Remove any unnecessary or overly permissive IAM policies.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the KMS Cryptokeys Should Not Be Public issue for GCP using GCP CLI, please follow these steps:
- Open the Cloud Shell in your GCP console.
-
Run the following command to list all the KMS keys in your project:
Replace
<keyring-name>with the name of the keyring containing the keys you want to check. -
Identify the key(s) that have the
publickey policy set. -
Run the following command to remove the
publickey policy from the identified key(s):Replace<key-name>with the name of the identified key and<path-to-iam-policy-file>with the path to a file containing the new IAM policy for the key. Here’s an example of a new IAM policy that removes thepublickey policy:Replace<service-account-email>with the email address of a service account that needs access to the key. -
Verify that the
publickey policy has been removed from the identified key(s) by running the following command:Replace<key-name>with the name of the identified key. This should return the new IAM policy that you set in step 4 without thepublickey policy. -
Repeat steps 3-5 for any other identified keys that have the
publickey policy set.
Using Python
Using Python
To remediate the misconfiguration “KMS Cryptokeys Should Not Be Public” in GCP using Python, you can follow the below steps:By following the above steps, you can remediate the misconfiguration “KMS Cryptokeys Should Not Be Public” in GCP using Python.
- First, you need to check if there are any publicly exposed KMS Cryptokeys in your GCP project. You can use the following Python code to list all the KMS Cryptokeys in your project:
- Once you have the list of all the KMS Cryptokeys in your project, you need to check if any of them are public. You can use the following Python code to check if a KMS Cryptokey is public:
- If you find any publicly exposed KMS Cryptokeys, you need to remove the public access. You can use the following Python code to remove public access from a KMS Cryptokey: