Profile Applicability:
Level 2
Description:
The principle of Separation of Duties should be applied when assigning roles related to Google Cloud Key Management Service (KMS). Users should not be granted both administrative and operational roles simultaneously to minimize security risks.
Rationale:
The following roles in Cloud KMS provide varying levels of access:
Cloud KMS Admin: Allows users to create, delete, and manage keys.
Cloud KMS CryptoKey Encrypter/Decrypter: Allows encryption and decryption of data using keys.
Cloud KMS CryptoKey Encrypter: Allows encryption only.
Cloud KMS CryptoKey Decrypter: Allows decryption only.
Assigning administrative roles (e.g., Cloud KMS Admin) alongside operational roles (e.g., CryptoKey Encrypter/Decrypter) to the same user violates the principle of Separation of Duties. This increases the risk of unauthorized access to sensitive data or misuse of encryption keys. Separation of Duties is essential in larger organizations to reduce the likelihood of malicious activities or errors and is considered a best practice for securing cryptographic systems.
Impact:
Removing conflicting roles from a single user may require reassigning these roles to other users to maintain operational functionality.
Default Value:
By default, users are not assigned both administrative and operational roles in Cloud KMS.
Audit Steps:
Using Google Cloud Console:
Navigate to IAM & Admin > IAM: IAM Console.
Review the list of members with roles.
Ensure no user has both the Cloud KMS Admin role and any of the following roles simultaneously:
Cloud KMS CryptoKey Encrypter/Decrypter
Cloud KMS CryptoKey Encrypter
Cloud KMS CryptoKey Decrypter
Using Google Cloud CLI:
Retrieve the IAM policy for the project:
gcloud projects get-iam-policy PROJECT_ID --format json
Check for users assigned conflicting roles:
Cloud KMS Admin: roles/cloudkms.admin
CryptoKey Roles:
roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/cloudkms.cryptoKeyEncrypter
roles/cloudkms.cryptoKeyDecrypter
Ensure no user is listed under both categories.
Remediation Steps:
Using Google Cloud Console:
Navigate to IAM & Admin > IAM: IAM Console.
Identify users with conflicting roles.
Remove one of the roles by clicking the Delete (Trash) icon based on business requirements.
Using Google Cloud CLI:
Retrieve the IAM policy and save it to a file:
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
Edit the iam.json file to remove conflicting roles for users. Example:
{ "bindings": [ { "role": "roles/cloudkms.admin", "members": [ "user:[email protected]" ] } ], "etag": "BwUjMhCsNvY=" }
Update the IAM policy with the modified file:
gcloud projects set-iam-policy PROJECT_ID iam.json
References:
Additional Information:
Users with Owner (roles/owner) or Editor (roles/editor) roles have equivalent permissions to Cloud KMS Admin and operational roles. These elevated roles should be granted sparingly.
Use custom roles to enforce specific permissions if required.