KMS Cross Account Access Must Not Be Present
More Info:
Ensure that all KMS keys are configured to be accessed only by trusted accounts in order to prevent unauthorized accessRisk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the KMS Cross Account Access misconfiguration in GCP using the GCP console, follow these steps:
- Open the GCP Console and navigate to the Key Management Service (KMS) page.
- Select the key ring that has cross-account access enabled.
- Click on the key for which cross-account access is enabled.
- Click on the “Permissions” tab.
- Click the “Edit” button at the top of the page.
- Find the member that has cross-account access and click the “X” to remove it.
- Click “Save” to save the changes.
Using CLI
Using CLI
To remediate the KMS Cross Account Access Misconfiguration in GCP using GCP CLI, you can follow these steps:
-
First, you need to identify the KMS keyring and cryptokey that has cross-account access. You can use the following command to list all the KMS keyrings in your GCP project:
Once you have identified the keyring, you can list all the cryptokeys in that keyring using the following command:Identify the cryptokey that has cross-account access.
-
Once you have identified the cryptokey, you can remove the cross-account access by updating the IAM policy for that cryptokey. You can use the following command to remove all the members from the IAM policy for that cryptokey:
This command sets the IAM policy for the cryptokey to an empty policy, which effectively removes all the members from the policy.
-
Finally, you can verify that the cross-account access has been removed by listing the IAM policy for the cryptokey using the following command:
This command should return an empty policy, indicating that there are no members with access to the cryptokey.
Using Python
Using Python
To remediate the KMS Cross Account Access misconfiguration in GCP using Python, you can follow the below steps:In the above code, we are removing the condition that allows cross-account access and adding the service account of the Compute Engine instance in the same project as a member with the By following these steps, you can remediate the KMS Cross Account Access misconfiguration in GCP using Python.
- First, you need to identify the KMS key that has cross-account access enabled. You can use the following command to list all the KMS keys in your project:
- Once you have identified the KMS key, you can disable cross-account access by updating the IAM policy of the KMS key. You can use the following code to update the IAM policy:
roles/cloudkms.cryptoKeyEncrypterDecrypter role. This will allow the Compute Engine instance to access the KMS key but prevent cross-account access.- Finally, you can verify that cross-account access has been disabled for the KMS key by running the following command: