Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enforce Separation of Duties for KMS-Related Roles

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudIAM-010

Ensure that separation of duties is enforced for all Cloud Key Management Service (KMS) related roles. The principle of separation of duties (also known as segregation of duties) has as its primary objective the prevention of fraud and human error. This objective is achieved by dismantling the tasks and the associated privileges for a specific business process among multiple users/identities. Google Cloud provides predefined roles that can be used to implement the principle of separation of duties, where it is needed. The predefined Cloud KMS Admin role is meant for users to manage KMS keys but not to use them. The Cloud KMS CryptoKey Encrypter/Decrypter roles are meant for services who can use keys to encrypt and decrypt data, but not to manage them. To adhere to cloud security best practices, your IAM users should not have the Admin role and any of the CryptoKey Encrypter/Decrypter roles assigned at the same time.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

The principle of separation of duties can be enforced in order to eliminate the need for the IAM user/identity that has all the permissions needed to perform unwanted actions, such as using a cryptographic key to access and decrypt data which the user should not normally have access to.

Audit

To determine if there are any IAM users that have KMS-related roles assigned at the same time, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select View by PRINCIPALS to list all the IAM member accounts, Google groups, or workspace domains available as principals within the selected GCP project.

06 Click inside the Filter box, select Role, type Cloud KMS Admin and press Enter, to return the principals with the Cloud KMS Admin role. Click again in the Filter box, select Role, type Cloud KMS CryptoKey Encrypter/Decrypter, select OR, type Cloud KMS CryptoKey Encrypter, select again OR, type Cloud KMS CryptoKey Decrypter, and press Enter. Check the IAM members returned to determine if there are any users/identities that have both the Cloud KMS Admin role and one of the encrypter/decrypter roles (i.e. Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, or Cloud KMS CryptoKey Decrypter). If one or more members (principals) have both these roles assigned, the principle of separation of duties was not implemented while assigning KMS-related roles to IAM users.

07 Repeat steps no. 2 – 6 for each GCP project deployed within your Google cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-big-data-app-123123
cc-internal-app-112233
cc-frontend-app-123456

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the Identity and Access Management (IAM) policy created for the selected GCP project, in JSON format: 

gcloud projects get-iam-policy cc-big-data-app-123123
  --format=json

04 The command output should return the requested IAM policy document: 

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.admin"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "123412341234",
  "version": 1
}

Check the name of each member role (i.e. "role" attribute) returned by the projects get-iam-policy command output. If one or more members are associated with the following set of roles: "roles/cloudkms.admin" role and one of the encrypter/decrypter roles (i.e. "roles/cloudkms.cryptoKeyEncrypterDecrypter", "roles/cloudkms.cryptoKeyEncrypter" or "roles/cloudkms.cryptoKeyDecrypter"), as shown in the output example above, there are users/identities that have both the KMS administrator and KMS encrypter/decrypter roles assigned at the same, therefore the principle of separation of duties was not enforced while assigning KMS-related roles to IAM users.

05 Repeat step no. 3 and 4 for each Google Cloud Platform (GCP) project created within your account.

Remediation / Resolution

To implement the principle of separation of duties and secure the access to your GCP projects, revoke either Cloud KMS Admin role or one of the encrypter/decrypter roles (i.e. Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter or Cloud KMS CryptoKey Decrypter) from the IAM user that is associated with both these roles, and attach one of the roles to another identity according to your business requirements.

Step A: To revoke the Cloud KMS Admin role from the required IAM member (principal), perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select View by PRINCIPALS to list all the IAM member accounts, Google groups, or workspace domains available as principals within the selected GCP project.

06 Choose the principal (member) that you want to reconfigure and click on the Edit principal button (pencil icon) to access the selected principal permissions.

07 On the Edit permissions panel, identify the KMS role that you want to remove from the selected principal, i.e. Cloud KMS Admin, then click on the delete icon next to the role to remove it. Choose SAVE to apply the changes.

08 Repeat step no. 6 and 7 for other principals that you want to reconfigure, created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to access as the identifier parameter and custom query filters to describe the IAM policy created for the selected project: 

gcloud projects get-iam-policy cc-big-data-app-123123
  --format=json

02 The command output should return the requested IAM policy: 

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.admin"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "123412341234",
  "version": 1
}

03 Edit the IAM policy returned at the previous step and remove the role bindings with the name "roles/cloudkms.admin" for the principal (member) that have both the KMS administrator and KMS encrypter/decrypter roles, then save the policy document to a JSON document named sod-iam-policy.json: 

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "123412341234",
  "version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update the IAM policy of the selected GCP project with the IAM policy modified at the previous step (i.e. sod-iam-policy.json): 

gcloud projects set-iam-policy cc-big-data-app-123123 sod-iam-policy.json

05 The command request should return the metadata available for the updated IAM policy: 

Updated IAM policy for project [cc-big-data-app-123123].
bindings:
- members:
  - user:cloud.realisation@gmail.com
  role: roles/editor
- members:
  - user:cloud.conformity@gmail.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: 123412341234
version: 1

06 Repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available in your account.

Step B: Assign the removed service role, i.e. Cloud KMS Admin, to another IAM member (principal) created for your GCP project by performing the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select View by PRINCIPALS to list all the IAM member accounts, Google groups, or workspace domains available as principals in the selected GCP project.

06 Choose the principal (member) that you want to assign the Cloud KMS Admin role, and click on the Edit principal button (pencil icon) to access the selected principal permissions.

07 On the Edit permissions panel, choose + ADD ANOTHER ROLE, and select the Cloud KMS Admin role from the Select a role dropdown list to attach the Cloud KMS Admin role to the selected principal. Choose SAVE to apply the changes.

08 Repeat step no. 6 and 7 to assign the required KMS role to other principals created for the selected project.

09 Repeat steps no. 2 – 8 for other GCP projects available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to reconfigure as the identifier parameter and custom query filters to describe the IAM policy associated with the selected project: 

gcloud projects get-iam-policy cc-big-data-app-123123
  --format=json

02 The command output should return the requested IAM policy: 

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "123412341234",
  "version": 1
}

03 Modify the IAM policy returned at the previous step and add a role binding with the name "roles/cloudkms.admin" to another principal (other than the associated one) in order to assign the Cloud KMS Admin role, then save the policy document to a JSON document named new-sod-iam-policy.json: 

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/cloudkms.admin"
    }
  ],
  "etag": "123412341234",
  "version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update the IAM policy of the selected GCP project with the IAM policy edited at the previous step (i.e. new-sod-iam-policy.json): 

gcloud projects set-iam-policy cc-big-data-app-123123 new-sod-iam-policy.json

05 The command request should return the metadata for the updated IAM policy: 

Updated IAM policy for project [cc-big-data-app-123123].
bindings:
- members:
  - user:cloud.realisation@gmail.com
  role: roles/editor
  - user:cloud.realisation@gmail.com
  role: roles/cloudkms.admin
- members:
  - user:cloud.conformity@gmail.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: 123412341234
version: 1

06 Repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available within your account.

References

Publication date Feb 4, 2021

Related CloudIAM rules