GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
KMS Admin Roles Should Not Have CryptoKey Role
More Info:
Ensure that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user have access to resources out of the scope of duty.
Risk Level
Critical
Address
Security
Compliance Standards
CISGCP, CBP, ISO27001
Triage and Remediation
Remediation
To remediate the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using GCP console, you can follow the below steps:
- Login to your GCP console and navigate to the IAM & Admin page.
- In the IAM & Admin page, select the “Roles” tab.
- Search for the “Cloud KMS Admin” role and click on it.
- Under the “Permissions” tab, search for the “cloudkms.cryptoKeyRoles.*” permission.
- Click on the pencil icon next to the “cloudkms.cryptoKeyRoles.*” permission to edit it.
- Uncheck the “cloudkms.cryptoKeyRoles.*” permission and click on the “Save” button.
- Verify that the “cloudkms.cryptoKeyRoles.*” permission is no longer present under the “Permissions” tab for the “Cloud KMS Admin” role.
By following the above steps, you have successfully remediated the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using GCP console.
To remediate this issue in GCP using GCP CLI, you can follow the below steps:
-
Open the Google Cloud Console and go to the Cloud Shell.
-
Run the following command to list all the KMS admin roles in your project:
gcloud kms roles list -
Identify the KMS admin role that has the
roles/cloudkms.cryptoKeyEncrypterDecrypterrole. -
Run the following command to remove the
roles/cloudkms.cryptoKeyEncrypterDecrypterrole from the KMS admin role:gcloud kms roles revoke [KMS_ADMIN_ROLE] --permission=cloudkms.cryptoKeyEncrypterDecrypterReplace
[KMS_ADMIN_ROLE]with the name of the KMS admin role that you identified in step 3. -
Verify that the
roles/cloudkms.cryptoKeyEncrypterDecrypterrole has been removed from the KMS admin role by running the following command:gcloud kms roles describe [KMS_ADMIN_ROLE]Replace
[KMS_ADMIN_ROLE]with the name of the KMS admin role that you identified in step 3.This command should output the details of the KMS admin role, which should not include the
roles/cloudkms.cryptoKeyEncrypterDecrypterrole.
By following these steps, you should be able to remediate the issue of KMS admin roles having the roles/cloudkms.cryptoKeyEncrypterDecrypter role in GCP using GCP CLI.
To remediate the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using Python, you can follow the below steps:
Step 1: Create a list of all the KMS admin roles that have CryptoKey role.
from google.oauth2 import service_account
from googleapiclient.discovery import build
# Set the credentials
credentials = service_account.Credentials.from_service_account_file(
'path/to/service_account.json')
# Set the project id
project_id = 'your_project_id'
# Create the KMS client
kms_client = build('cloudkms', 'v1', credentials=credentials)
# Get the list of all the KMS admin roles
roles_list = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()
# Create a list of all the KMS admin roles that have CryptoKey role
kms_admin_cryptokey_roles = []
for role in roles_list['bindings']:
if 'roles/cloudkms.admin' in role['role']:
for member in role['members']:
if 'cryptoKey' in member:
kms_admin_cryptokey_roles.append(role['role'])
Step 2: Remove the CryptoKey role from all the KMS admin roles.
from google.oauth2 import service_account
from googleapiclient.discovery import build
# Set the credentials
credentials = service_account.Credentials.from_service_account_file(
'path/to/service_account.json')
# Set the project id
project_id = 'your_project_id'
# Create the KMS client
kms_client = build('cloudkms', 'v1', credentials=credentials)
# Remove the CryptoKey role from all the KMS admin roles
for role in kms_admin_cryptokey_roles:
policy = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()
for binding in policy['bindings']:
if binding['role'] == role:
binding['members'] = [member for member in binding['members'] if 'cryptoKey' not in member]
kms_client.projects().locations().keyRings().cryptoKeys().setIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name), body={'policy': policy}).execute()
Note: Replace the path/to/service_account.json, your_project_id, location, keyring_name, and cryptokey_name with the actual values in your GCP environment.