GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Check For The Existence of Specific KMS CMKs
More Info:
Ensure that a specific list of KMS CMKs are available for use in your AWS account in order to meet the security and compliance requirements of the organization.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP console, follow these steps:
-
Open the Google Cloud Console and select the project that you want to work on.
-
In the navigation menu, select “Security” and then select “Security Health Analytics”.
-
Under “Security Health Analytics”, select “Findings”.
-
In the search bar, enter “KMS” and select “KMS Key Ring Has No Rotation Policy”.
-
This will show you a list of all the KMS key rings that have no rotation policy.
-
For each key ring that has no rotation policy, click on the key ring name to open it.
-
In the key ring page, click on the “Edit” button.
-
Under “Rotation Interval”, select the desired rotation interval from the drop-down menu.
-
Click on “Save” to save the changes.
-
Repeat steps 6-9 for all the key rings that have no rotation policy.
By following these steps, you will remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP console.
To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP CLI, you can follow the below steps:
-
Open the Google Cloud Shell or any terminal window where you have installed the GCP CLI and authenticate with your GCP account using the following command:
gcloud auth login -
Check the list of all the available key rings in the project using the following command:
gcloud kms keyrings list --location=global -
Identify the specific key ring that contains the CMKs that you want to check for existence.
-
Check the list of all the available Crypto Keys in the identified key ring using the following command:
gcloud kms keys list --location=global --keyring=<keyring-name>Replace
<keyring-name>with the name of the identified key ring. -
Identify the specific CMK that you want to check for existence.
-
Check the existence of the identified CMK using the following command:
gcloud kms keys describe <key-name> --location=global --keyring=<keyring-name>Replace
<key-name>with the name of the identified CMK and<keyring-name>with the name of the identified key ring. -
If the command returns an error message stating that the key does not exist, then the CMK does not exist. In this case, you can create the CMK using the following command:
gcloud kms keys create <key-name> --location=global --keyring=<keyring-name> --purpose=<purpose>Replace
<key-name>with the name of the CMK that you want to create,<keyring-name>with the name of the identified key ring, and<purpose>with the purpose of the CMK (e.g.encryption).Note: You need to have the necessary IAM permissions to create a new CMK.
-
If the command returns the details of the CMK, then the CMK exists and no further action is required.
By following these steps, you can remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP CLI.
To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using python, you can follow the below steps:
- Import the necessary modules:
from google.cloud import kms_v1
from google.oauth2 import service_account
- Set up the credentials for authentication:
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
- Create a client object for the Key Management Service:
client = kms_v1.KeyManagementServiceClient(credentials=credentials)
- Define the name of the keyring and the key to check for existence:
keyring_name = 'my-keyring'
key_name = 'my-key'
- Use the client object to check for the existence of the key:
parent = client.key_ring_path('<project_id>', '<location>', keyring_name)
key_full_name = client.crypto_key_path_path('<project_id>', '<location>', keyring_name, key_name)
try:
client.get_crypto_key(key_full_name)
print(f'Key {key_full_name} exists.')
except:
print(f'Key {key_full_name} does not exist.')
-
Replace
<path_to_service_account_file>,<project_id>,<location>,<keyring_name>, and<key_name>with the appropriate values for your GCP environment. -
Run the script to check for the existence of the specified KMS CMKs, and remediate any that do not exist.