Profile Applicability:

Level 1

Description:

The IAM policies for Cloud KMS cryptokeys should be configured to prevent access by allUsers or allAuthenticatedUsers to ensure cryptographic keys are not accessible by anonymous or public users.

Rationale:

Granting access to allUsers or allAuthenticatedUsers can expose cryptographic keys to unauthorized individuals or systems, leading to potential misuse or compromise. Preventing public or anonymous access is critical when managing sensitive data secured by cryptographic keys.

Impact:

Removing access for allUsers or allAuthenticatedUsers will deny access to public or anonymous users. Ensure that legitimate users or services requiring access have appropriate roles assigned.

Default Value:

By default, Cloud KMS cryptokeys do not allow access to allUsers or allAuthenticatedUsers.

Remediation Steps:
Test Plan:

Using Google Cloud CLI:

List all Cloud KMS cryptographic keys:

gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

Check the IAM policy for each key to verify no allUsers or allAuthenticatedUsers access:

gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'

Ensure that allUsers or allAuthenticatedUsers are not listed in the output.

Implementation:

Using Google Cloud CLI:

List all cryptographic keys:

gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

Remove any IAM policy bindings that grant access to allUsers or allAuthenticatedUsers:

gcloud kms keys remove-iam-policy-binding [key_name] \
  --keyring=[key_ring_name] --location=global \
  --member='allAuthenticatedUsers' --role='[role]'

gcloud kms keys remove-iam-policy-binding [key_name] \
  --keyring=[key_ring_name] --location=global \
  --member='allUsers' --role='[role]'

Backout Plan:

1. Restore Access (If Necessary)

If removing public access impacts a valid service, reassign access:

gcloud kms keys add-iam-policy-binding [KEY_NAME] \--keyring=[KEY_RING_NAME] --location=global \ --member="serviceAccount:my-service-account@my-project.iam.gserviceaccount.com" \  --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"

2. Restore IAM Policy from Backup

If needed, restore a previous IAM policy:

gcloud kms keys set-iam-policy [KEY_NAME] policy-backup.json

References:

CIS Controls:

Control	Description	IG 1	IG 2	IG 3
3.3 Configure Data Access Control Lists	Apply access control lists to enforce the principle of least privilege, granting access only as needed.	✅	✅	✅
14.6 Protect Information Through ACLs	Use ACLs to ensure only authorized individuals have access to sensitive information.	✅	✅	✅

iCompaas Support

1.9 Ensure Cloud KMS Cryptokeys Are Not Accessible to Anonymous or Public Users (Automated) Print

Profile Applicability:

Level 1

Description:

Rationale:

Impact:

Default Value:

Remediation Steps:
Test Plan:

Implementation:

Backout Plan:

References:

CIS Controls:

1.9 Ensure Cloud KMS Cryptokeys Are Not Accessible to Anonymous or Public Users (Automated) Print

Profile Applicability:

Level 1

Description:

Rationale:

Impact:

Default Value:

Remediation Steps:Test Plan:

Implementation:

Backout Plan:

References:

CIS Controls:

Related Articles

Remediation Steps:
Test Plan: