Profile Applicability:

Level 2

Description:

The principle of Separation of Duties should be applied when assigning roles related to Google Cloud Key Management Service (KMS). Users should not be granted both administrative and operational roles simultaneously to minimize security risks.

Rationale:

The following roles in Cloud KMS provide varying levels of access:

  • Cloud KMS Admin: Allows users to create, delete, and manage keys.

  • Cloud KMS CryptoKey Encrypter/Decrypter: Allows encryption and decryption of data using keys.

  • Cloud KMS CryptoKey Encrypter: Allows encryption only.

  • Cloud KMS CryptoKey Decrypter: Allows decryption only.

Assigning administrative roles (e.g., Cloud KMS Admin) alongside operational roles (e.g., CryptoKey Encrypter/Decrypter) to the same user violates the principle of Separation of Duties. This increases the risk of unauthorized access to sensitive data or misuse of encryption keys. Separation of Duties is essential in larger organizations to reduce the likelihood of malicious activities or errors and is considered a best practice for securing cryptographic systems.

Impact:

Removing conflicting roles from a single user may require reassigning these roles to other users to maintain operational functionality.

Default Value:

By default, users are not assigned both administrative and operational roles in Cloud KMS.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to IAM & Admin > IAM: IAM Console.

                                         

  1. Review the list of members with roles.

                         

  1. Ensure no user has both the Cloud KMS Admin role and any of the following roles simultaneously:

    • Cloud KMS CryptoKey Encrypter/Decrypter

    • Cloud KMS CryptoKey Encrypter

    • Cloud KMS CryptoKey Decrypter

Using Google Cloud CLI:
Retrieve the IAM policy for the project: 

gcloud projects get-iam-policy PROJECT_ID --format json
  1. Check for users assigned conflicting roles:

    • Cloud KMS Admin: roles/cloudkms.admin

    • CryptoKey Roles:

      • roles/cloudkms.cryptoKeyEncrypterDecrypter

      • roles/cloudkms.cryptoKeyEncrypter

      • roles/cloudkms.cryptoKeyDecrypter

  2. Ensure no user is listed under both categories.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to IAM & Admin > IAM: IAM Console.

                                           

  1. Identify users with conflicting roles.

  2. Remove one of the roles by clicking the Delete (Trash) icon based on business requirements.

                                 

Using Google Cloud CLI:

Retrieve the IAM policy and save it to a file:

gcloud projects get-iam-policy PROJECT_ID --format json > iam.json

Edit the iam.json file to remove conflicting roles for users. Example:

{
  "bindings": [
    {
      "role": "roles/cloudkms.admin",
      "members": [

        "user:[email protected]"
      ]
    }
  ],
  "etag": "BwUjMhCsNvY="
}

Update the IAM policy with the modified file: 

gcloud projects set-iam-policy PROJECT_ID iam.json


References:

  1. Separation of Duties for KMS

Additional Information:

  • Users with Owner (roles/owner) or Editor (roles/editor) roles have equivalent permissions to Cloud KMS Admin and operational roles. These elevated roles should be granted sparingly.

  • Use custom roles to enforce specific permissions if required.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Apply ACLs to enforce least privilege, ensuring access is granted only as needed.

14.6 Protect Information Through ACLs

Use ACLs to safeguard sensitive information, limiting access to authorized users based on responsibilities.