Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP console, follow these steps:
- Open the Google Cloud Console and select the project that you want to work on.
- In the navigation menu, select “Security” and then select “Security Health Analytics”.
- Under “Security Health Analytics”, select “Findings”.
- In the search bar, enter “KMS” and select “KMS Key Ring Has No Rotation Policy”.
- This will show you a list of all the KMS key rings that have no rotation policy.
- For each key ring that has no rotation policy, click on the key ring name to open it.
- In the key ring page, click on the “Edit” button.
- Under “Rotation Interval”, select the desired rotation interval from the drop-down menu.
- Click on “Save” to save the changes.
- Repeat steps 6-9 for all the key rings that have no rotation policy.
Using CLI
Using CLI
To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP CLI, you can follow the below steps:
-
Open the Google Cloud Shell or any terminal window where you have installed the GCP CLI and authenticate with your GCP account using the following command:
-
Check the list of all the available key rings in the project using the following command:
- Identify the specific key ring that contains the CMKs that you want to check for existence.
-
Check the list of all the available Crypto Keys in the identified key ring using the following command:
Replace
<keyring-name>with the name of the identified key ring. - Identify the specific CMK that you want to check for existence.
-
Check the existence of the identified CMK using the following command:
Replace
<key-name>with the name of the identified CMK and<keyring-name>with the name of the identified key ring. -
If the command returns an error message stating that the key does not exist, then the CMK does not exist. In this case, you can create the CMK using the following command:
Replace
<key-name>with the name of the CMK that you want to create,<keyring-name>with the name of the identified key ring, and<purpose>with the purpose of the CMK (e.g.encryption). Note: You need to have the necessary IAM permissions to create a new CMK. - If the command returns the details of the CMK, then the CMK exists and no further action is required.
Using Python
Using Python
To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using python, you can follow the below steps:
- Import the necessary modules:
- Set up the credentials for authentication:
- Create a client object for the Key Management Service:
- Define the name of the keyring and the key to check for existence:
- Use the client object to check for the existence of the key:
-
Replace
<path_to_service_account_file>,<project_id>,<location>,<keyring_name>, and<key_name>with the appropriate values for your GCP environment. - Run the script to check for the existence of the specified KMS CMKs, and remediate any that do not exist.