Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using GCP console, follow the below steps:
- Login to your GCP console.
- Go to the Cloud KMS page.
- Click on the Key Rings in the left-hand menu.
- Select the key ring in which the misconfigured key is present.
- Select the key that has the misconfiguration.
- Click on the “Edit” button at the top of the page.
- In the “Key rotation” section, enable the “Automatic key rotation” option.
- In the “Labels” section, add a label with a unique key that identifies the key as being used in the app-tier.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate this misconfiguration in GCP using GCP CLI, you can follow the below steps:
- Open the Cloud Shell in the GCP console.
-
Set the project where the KMS key exists as the default project using the following command:
-
Get the list of all the KMS keys in the project using the following command:
- Identify the KMS key that is used in the app-tier and note down its name.
-
Get the details of the KMS key using the following command:
- Check if the key is unique by verifying that it is not used in any other app-tier in the project.
-
If the key is not unique, create a new KMS key using the following command:
Replace [NEW_KEY_NAME] with a unique name for the new KMS key, [LOCATION] with the location where you want to create the key, and [KEYRING_NAME] with the name of the keyring where you want to create the key.
- Update the app-tier to use the new KMS key.
-
Delete the old KMS key using the following command:
Replace [KEY_NAME] with the name of the old KMS key that you want to delete.
- Verify that the misconfiguration has been remediated by checking that the KMS key used in the app-tier is unique and not used in any other app-tier in the project.
Using Python
Using Python
To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using Python, you can follow these steps:Note: Replace
- Identify the KMS key that is being used by the App-Tier in GCP.
- Check if the KMS key is unique and not being used by any other application or service in GCP.
- If the KMS key is not unique, create a new KMS key for the App-Tier.
- Update the App-Tier to use the new KMS key.
<PROJECT_ID>, <LOCATION>, <KEYRING_NAME>, <KEY_NAME> with the appropriate values for your GCP project and KMS key.