KMS Key Should Have Unique Key In An App-Tier

More Info:

Ensure that there is a KMS Key in the App-tier in order to protect the data that is transmitted from the application stack.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP console.
Set the project where the KMS key exists as the default project using the following command:
```
gcloud config set project [PROJECT_ID]
```
Get the list of all the KMS keys in the project using the following command:
```
gcloud kms keys list
```
Identify the KMS key that is used in the app-tier and note down its name.
Get the details of the KMS key using the following command:
```
gcloud kms keys describe [KEY_NAME]
```
Check if the key is unique by verifying that it is not used in any other app-tier in the project.
If the key is not unique, create a new KMS key using the following command:
```
gcloud kms keys create [NEW_KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --purpose encryption
```
Replace [NEW_KEY_NAME] with a unique name for the new KMS key, [LOCATION] with the location where you want to create the key, and [KEYRING_NAME] with the name of the keyring where you want to create the key.
Update the app-tier to use the new KMS key.
Delete the old KMS key using the following command:
```
gcloud kms keys delete [KEY_NAME]
```
Replace [KEY_NAME] with the name of the old KMS key that you want to delete.
Verify that the misconfiguration has been remediated by checking that the KMS key used in the app-tier is unique and not used in any other app-tier in the project.

Using Python

To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using Python, you can follow these steps:

Identify the KMS key that is being used by the App-Tier in GCP.
Check if the KMS key is unique and not being used by any other application or service in GCP.
If the KMS key is not unique, create a new KMS key for the App-Tier.
Update the App-Tier to use the new KMS key.

Here’s the Python code to remediate the misconfiguration:

from google.cloud import kms_v1

# Set the name of the KMS key being used by the App-Tier
key_name = 'projects/<PROJECT_ID>/locations/<LOCATION>/keyRings/<KEYRING_NAME>/cryptoKeys/<KEY_NAME>'

# Create a KMS client
client = kms_v1.KeyManagementServiceClient()

# Check if the KMS key is unique
response = client.list_key_rings(parent='projects/<PROJECT_ID>/locations/<LOCATION>')
for key_ring in response:
    for crypto_key in key_ring.crypto_keys:
        if crypto_key.name == key_name:
            print('KMS key is not unique.')
            # Create a new KMS key for the App-Tier
            new_key_name = 'projects/<PROJECT_ID>/locations/<LOCATION>/keyRings/<KEYRING_NAME>/cryptoKeys/new_key'
            new_key = client.create_crypto_key(parent='projects/<PROJECT_ID>/locations/<LOCATION>/keyRings/<KEYRING_NAME>', crypto_key_id='new_key', purpose=kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT)
            # Update the App-Tier to use the new KMS key
            # ...
            break
    else:
        continue
    break
else:
    print('KMS key is unique.')

Note: Replace <PROJECT_ID>, <LOCATION>, <KEYRING_NAME>, <KEY_NAME> with the appropriate values for your GCP project and KMS key.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

KMS Key Should Have Unique Key In An App-Tier

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation