More Info:

KMS keys should be monitored to ensure that they are not overexposed i.e. there is at most a certain number of users associated with a key.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

To remediate the misconfiguration “KMS Key Should Be Associated With Minimum Users” for GCP using GCP console, you can follow these steps:

  1. Go to the Google Cloud Console and select the project where the KMS key is located.
  2. In the navigation menu, select “Security” and then “Key Management”.
  3. Find the KMS key that needs to be updated and click on its name.
  4. In the “Permissions” tab, review the current users and service accounts that have access to the key.
  5. Remove any unnecessary users and service accounts from the key’s permissions list.
  6. Click on the “Add Member” button to add new users or service accounts to the key’s permissions list.
  7. Select the appropriate role for each user or service account, such as “Cloud KMS CryptoKey Encrypter/Decrypter” or “Cloud KMS CryptoKey Decrypter”.
  8. Click “Save” to apply the changes to the key’s permissions.

By following these steps, you can ensure that the KMS key is associated with the minimum number of users necessary, reducing the risk of unauthorized access to the key.