Profile Applicability:
Level 1
Description:
The IAM policies for Cloud KMS cryptokeys should be configured to prevent access by allUsers or allAuthenticatedUsers to ensure cryptographic keys are not accessible by anonymous or public users.
Rationale:
Granting access to allUsers or allAuthenticatedUsers can expose cryptographic keys to unauthorized individuals or systems, leading to potential misuse or compromise. Preventing public or anonymous access is critical when managing sensitive data secured by cryptographic keys.
Impact:
Removing access for allUsers or allAuthenticatedUsers will deny access to public or anonymous users. Ensure that legitimate users or services requiring access have appropriate roles assigned.
Default Value:
By default, Cloud KMS cryptokeys do not allow access to allUsers or allAuthenticatedUsers.
Audit Steps:
Using Google Cloud CLI:
List all Cloud KMS cryptographic keys:
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
Check the IAM policy for each key to verify no allUsers or allAuthenticatedUsers access:
gcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'
Ensure that allUsers or allAuthenticatedUsers are not listed in the output.
Remediation Steps:
Using Google Cloud CLI:
List all cryptographic keys:
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
Remove any IAM policy bindings that grant access to allUsers or allAuthenticatedUsers:
gcloud kms keys remove-iam-policy-binding [key_name] \ --keyring=[key_ring_name] --location=global \ --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] \ --keyring=[key_ring_name] --location=global \ --member='allUsers' --role='[role]'
References:
Removing IAM Policy Bindings for KMS Keys