Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Detect Google Cloud KMS Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: CloudKMS-003

Trend Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected Cloud KMS configuration changes within your GCP account.
Cloud Key Management Service (KMS) is a GCP-hosted key management service that enables you to easily create, import, and manage cryptographic keys, and perform cryptographic operations using a single centralized service.
Cloud KMS write audit logs for resources such as key rings (KeyRings) and cryptographic keys (CryptoKeys) to help you find who used your KMS resources, where and when. Trend Cloud One™ – Conformity RTMA uses the audit information collected by Cloud KMS to process and send notifications about the configurations changes made at the KMS service level.
The activity detected by the Conformity RTMA feature could be a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

  • "cryptoKeys.create" - Creates a new cryptographic keys in a specified key ring. A cryptographic key, also known as CryptoKey, represents a logical key that can be used for Google Cloud cryptographic operations. A key ring (KeyRing) represents a logical grouping of CryptoKeys.
  • "cryptoKeys.patch" - Update a cryptographic key (CryptoKey). A CryptoKey can have zero or more versions, which represent the actual key material used for cryptographic operations.
  • "cryptoKeys.setIamPolicy" - Sets the access control policy for the specified CryptoKey. This operation replaces any existing policy associated with the KMS key.

Because encryption plays an important role in securing your application data in Google Cloud, Trend Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide your GCP users (except administrators or dedicated, authorized personnel) the permission to perform Cloud KMS configuration changes within your GCP account. For example, if a Cloud KMS resource is created and/or modified by an inexperienced user, it can allow malicious actors to identify possible vulnerabilities and attempt to exploit them in order to gain access to your sensitive data.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for KMS configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.

Security

Monitoring is fundamental for understanding the availability, state, configuration, and usage of your Cloud KMS cryptographic resources such as CryptoKeys, KeyRings, and key access control policies. To follow security best practices and meet compliance requirements, you have to be aware of the configuration changes made at the Cloud KMS service level. Cloud KMS enables you to maintain control over who can use your cryptographic keys (CryptoKeys) to gain access to your encrypted data, therefore, monitoring any configuration change performed at the Cloud KMS level is vital for keeping your encrypted data safe and secure in Google Cloud.


References

Publication date Dec 14, 2022