GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Detect KMS Keys That Are Scheduled To Be Destroyed
More Info:
Detect the KMS Keys that are scheduled to be destroyed. NOTE: Data encrypted using the key cannot be decrypted once the key has been destroyed.
Risk Level
High
Address
Operational Maturity, Security
Compliance Standards
HITRUST
Triage and Remediation
Remediation
To detect KMS keys that are scheduled to be destroyed in GCP, follow these steps:
- Open the Google Cloud Console and select the project where the KMS key is located.
- In the left-hand menu, select “Security”.
- Click on “Key Management Service”.
- In the KMS dashboard, click on “Scheduled for destruction” in the left-hand menu.
- You will see a list of KMS keys that are scheduled for destruction.
To remediate this issue, you can either cancel the scheduled destruction or create a new key to replace the one that is scheduled for destruction. To cancel the scheduled destruction, follow these steps:
- Select the KMS key that is scheduled for destruction.
- Click on “Cancel destruction” in the top menu.
- Confirm the cancellation.
To create a new key to replace the one that is scheduled for destruction, follow these steps:
- Click on “Create key” in the top menu.
- Choose the key type and key version.
- Enter a name for the key.
- Click on “Create”.
Note: Be sure to update any applications or services that use the original KMS key with the new key.
To detect KMS keys that are scheduled to be destroyed in GCP, you can use the following steps:
-
Open the Cloud Shell in your GCP console.
-
Run the following command to list all the KMS keys that are scheduled for destruction:
gcloud kms keys list --filter="destroyScheduledTime.datetime() < datetime('now')"
-
This command will return a list of all the KMS keys that are scheduled for destruction. Note down the name of the key that you want to remediate.
-
To cancel the scheduled destruction of the key, run the following command:
gcloud kms keys undelete [KEY-NAME]
Replace [KEY-NAME] with the name of the key that you want to remediate.
-
This command will cancel the scheduled destruction of the key and the key will be available for use again.
-
Verify that the key is no longer scheduled for destruction by running the first command again.
By following these steps, you can remediate the misconfiguration of scheduled destruction of KMS keys in GCP using GCP CLI.
To detect KMS keys that are scheduled to be destroyed in GCP using Python, you can use the Google Cloud KMS API. Here are the steps to remediate this issue:
-
First, you need to authenticate and authorize your application to access the Google Cloud KMS API. You can use a service account key file for this purpose. You can create a service account and download the key file from the Google Cloud Console.
-
Install the Google Cloud KMS API client library for Python using pip:
pip install google-cloud-kms
-
Use the following Python code to detect KMS keys that are scheduled to be destroyed:
from google.cloud import kms_v1 from google.oauth2 import service_account # Replace [PROJECT_ID] with your GCP project ID project_id = '[PROJECT_ID]' # Replace [PATH_TO_KEY_FILE] with the path to your service account key file credentials = service_account.Credentials.from_service_account_file('[PATH_TO_KEY_FILE]') # Create a client to access the KMS API client = kms_v1.KeyManagementServiceClient(credentials=credentials) # List all the KMS keys in the project parent = f'projects/{project_id}/locations/global' response = client.list_key_rings(parent) # Check if any of the KMS keys are scheduled to be destroyed for key_ring in response: for crypto_key in key_ring.crypto_keys: if crypto_key.destroy_scheduled_duration.seconds > 0: print(f'KMS key {crypto_key.name} is scheduled to be destroyed in {crypto_key.destroy_scheduled_duration.seconds} seconds')
-
Once you have identified the KMS keys that are scheduled to be destroyed, you can either cancel the destruction or rotate the keys to new ones. Here are the steps for each option:
-
To cancel the destruction, use the following Python code:
# Replace [KEY_NAME] with the name of the KMS key that you want to cancel the destruction for key_name = '[KEY_NAME]' # Create a request to update the KMS key update_mask = {'paths': ['destroy_scheduled_duration']} crypto_key = {'name': key_name, 'destroy_scheduled_duration': {'seconds': 0}} request = {'crypto_key': crypto_key, 'update_mask': update_mask} # Send the request to the KMS API to update the KMS key response = client.update_crypto_key(request)
-
To rotate the keys to new ones, use the following Python code:
# Replace [KEY_NAME] with the name of the KMS key that you want to rotate key_name = '[KEY_NAME]' # Create a request to rotate the KMS key rotation_period = {'seconds': 604800} # Rotate the key every 7 days request = {'name': key_name, 'rotation_period': rotation_period} # Send the request to the KMS API to rotate the KMS key response = client.update_crypto_key(request)
Note: Rotating the keys to new ones is a best practice to ensure the security of your data.
-