Check for Publicly Accessible Cloud KMS Keys

Risk Level: High (act today)

Rule ID: CloudKMS-001

Ensure that the IAM policy associated with your Cloud Key Management Service (KMS) keys is restricting anonymous and/or public access. KMS cryptographic keys, like any other GCP resources, have Cloud Identity and Access Management (IAM) policies configured to determine who can have access to these resources. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from the KMS key's IAM policy. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Misconfigured access permissions is a common security vulnerability that involves KMS resources. Granting permissions to "allUsers" and "allAuthenticatedUsers" members can allow anyone to access your KMS keys and the data encrypted with these keys. To prevent sensitive data leaks and data loss, ensure that anonymous and/or public access to your KMS cryptographic keys is not allowed.

Audit

To determine if there are any publicly accessible KMS keys available within your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Navigate to Cloud Key Management Service (KMS) dashboard at https://console.cloud.google.com/security/kms.

03 Click on the name of the GCP KMS key ring that you want to examine. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location.

04 Choose the KEYS tab, select the active KMS key that you want to examine, then click on the SHOW INFO PANEL button to show the key permissions. A cryptographic key is a GCP resource that is used for encrypting and decrypting data or for producing and verifying digital signatures.

05 On the information panel, select the PERMISSIONS tab, and turn off Show inherited permissions option. Click in the Filter tree box, select Role / Member, type allUsers and press Enter. Click again in the Filter tree box, choose OR, select Role / Member, type allAuthenticatedUsers, then press Enter. If the KMS console returns one or more results (members), the selected Google Cloud Platform (GCP) KMS key is publicly accessible.

06 Repeat step no. 4 and 5 for each cryptographic key available within the selected KMS key ring.

07 Repeat steps no. 3 – 6 for each KMS key ring provisioned in your Google cloud account.

Using GCP CLI

01 Run kms keyrings list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the KMS key rings available in your GCP account:

gcloud kms keyrings list
	--location=global

02 The command output should return the requested resource IDs:

NAME
projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring
projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring

03 Run kms keys list command (Windows/macOS/Linux) using the ID of the GCP KMS key ring that you want to examine as identifier parameter and custom query filters to list the resource ID of each KMS cryptographic key created for the selected key ring:

gcloud kms keys list
	--keyring=projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring
	--location=global
	--format="table(name)"

04 The command output should return the requested KMS key IDs:

NAME
projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-prod-cryptokey
projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-internal-key

05 Run kms keys get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP KMS key that you want to examine as identifier parameter and custom query filters to describe name of the IAM member(s) associated with the selected key:

gcloud kms keys get-iam-policy projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-prod-cryptokey
	--keyring=projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring
	--location=global
	--format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated member(s):

"allUsers"

If the IAM member names returned by the kms keys get-iam-policy command output include "allUsers" or "allAuthenticatedUsers", as shown in the example above, the selected Google Cloud Platform (GCP) KMS key is publicly accessible to the Internet.

07 Repeat step no. 5 and 6 for each cryptographic key created for the selected KMS key ring.

08 Repeat steps no. 3 – 7 for each KMS key ring available within your Google cloud account.

Remediation / Resolution

To remove "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the required IAM policy in order to restrict anonymous and/or public access to your Cloud Key Management Service (KMS) keys, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Navigate to Cloud Key Management Service (KMS) dashboard at https://console.cloud.google.com/security/kms.

03 Click on the name of the GCP KMS key ring that you want to access.

04 Choose the KEYS tab, select the active cryptographic key that you want to reconfigure (see Audit section part I to identify the right KMS key), then click on the SHOW INFO PANEL button to show the key permissions.

05 On the information panel, perform the following:

Select the PERMISSIONS tab to access the key permissions.
Turn off the Show inherited permissions option.
Identify the member that you want to remove from the IAM policy attached to the selected KMS key, i.e. "allUsers" or "allAuthenticatedUsers", then click on the delete icon next to the member name to remove it.
On the confirmation box, select the member that you want to discard, then click REMOVE to confirm the member removal.

06 Repeat step no. 4 and 5 for each publicly accessible key available in the selected KMS key ring.

07 Repeat steps no. 3 – 6 for each KMS key ring created within your Google cloud account.

Using GCP CLI

01 Run kms keys remove-iam-policy-binding command (Windows/macOS/Linux) using the resource ID of the cryptographic key that you want to reconfigure as identifier parameter (see Audit section part I to identify the right KMS key), to remove the "allUsers" IAM member binding from the IAM policy associated with the selected key. To remove the "allAuthenticatedUsers" member set the --member parameter value to 'allAuthenticatedUsers':

gcloud kms keys remove-iam-policy-binding projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-prod-cryptokey
	--keyring=projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring
	--location=global
	--member='allUsers'
	--role='roles/editor'

02 The command request should return the metadata for the reconfigured IAM policy:

Updated IAM policy for key [cc-prod-cryptokey].
bindings:
- members:
  - allUsers
  role: roles/editor
etag: abcdabcdabcd
version: 1

03 Repeat step no. 1 and 2 for each publicly accessible key deployed in the selected KMS key ring.

04 Repeat steps no. 1 – 3 for each KMS key ring available within your Google cloud account.

References

Google Cloud Platform (GCP) Documentation
Cloud Key Management
Using IAM with Cloud KMS
Cloud KMS resources

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud kms keyrings list
gcloud kms keys list
gcloud kms keys get-iam-policy
gcloud kms keys remove-iam-policy-binding

Publication date Feb 4, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudKMS rules