More Info:
Ensure that there is a KMS Key in the App-tier in order to protect the data that is transmitted from the application stack.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using GCP console, follow the below steps:
- Login to your GCP console.
- Go to the Cloud KMS page.
- Click on the Key Rings in the left-hand menu.
- Select the key ring in which the misconfigured key is present.
- Select the key that has the misconfiguration.
- Click on the “Edit” button at the top of the page.
- In the “Key rotation” section, enable the “Automatic key rotation” option.
- In the “Labels” section, add a label with a unique key that identifies the key as being used in the app-tier.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate this misconfiguration in GCP using GCP CLI, you can follow the below steps:
- Open the Cloud Shell in the GCP console.
-
Set the project where the KMS key exists as the default project using the following command:
-
Get the list of all the KMS keys in the project using the following command:
- Identify the KMS key that is used in the app-tier and note down its name.
-
Get the details of the KMS key using the following command:
- Check if the key is unique by verifying that it is not used in any other app-tier in the project.
-
If the key is not unique, create a new KMS key using the following command:
Replace [NEW_KEY_NAME] with a unique name for the new KMS key, [LOCATION] with the location where you want to create the key, and [KEYRING_NAME] with the name of the keyring where you want to create the key.
- Update the app-tier to use the new KMS key.
-
Delete the old KMS key using the following command:
Replace [KEY_NAME] with the name of the old KMS key that you want to delete.
- Verify that the misconfiguration has been remediated by checking that the KMS key used in the app-tier is unique and not used in any other app-tier in the project.
Using Python
Using Python
To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using Python, you can follow these steps:Note: Replace
- Identify the KMS key that is being used by the App-Tier in GCP.
- Check if the KMS key is unique and not being used by any other application or service in GCP.
- If the KMS key is not unique, create a new KMS key for the App-Tier.
- Update the App-Tier to use the new KMS key.
<PROJECT_ID>
, <LOCATION>
, <KEYRING_NAME>
, <KEY_NAME>
with the appropriate values for your GCP project and KMS key.