Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Data Decryption using All Keys Should Not Be Allowed

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that IAM users with data decryption permissions should use conditions to enforce strict controls, enhancing data protection and reducing risks of unauthorized decryption. For compliance, the Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter), Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator), and Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) roles must have a condition preventing data decryption with any KMS key.

Security

There are two main reasons to restrict data decryption using all KMS keys in your Google Cloud account:
1. Security: Granting decrypt permissions to all KMS keys gives IAM users access to decrypt any data encrypted with those keys. This is a broad permission that can be risky if compromised.
2. Granular control: Using IAM policy conditions with decrypt permissions allows you to specify exactly which data a user can decrypt. This provides more control and reduces the risk of accidental or unauthorized decryption.

Audit

To determine if your IAM users have overly permissive policies granting decryption access to all KMS keys, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS.

06 Click inside the Filter box and perform the following actions:

  1. Select Type and choose User to return the IAM users available for the selected project.
  2. Select Role, type Cloud KMS CryptoKey Decrypter, and press Enter to return the IAM users with the Cloud KMS CryptoKey Decrypter role.
  3. Select OR, choose Role, type Cloud KMS Crypto Operator, and press Enter to return the users with the Cloud KMS Crypto Operator role.
  4. Select OR, choose Role, type Cloud KMS CryptoKey Encrypter/Decrypter, and press Enter to return the IAM users with the Cloud KMS CryptoKey Encrypter/Decrypter role.

07 Choose the IAM user that you want to examine and check the Conditions column to determine if the associated role policy has any conditions. If the Conditions column is empty, the role policy does not have conditions defined. If the Conditions column lists one or more conditions, click on the condition name and check the "expression" attribute value to determine if the selected condition prevents data decryption with any KMS key. If none of the listed conditions prevent data decryption with any KMS key, the selected IAM user can use any key to decrypt data, making the IAM user access configuration non-compliant.

08 Repeat step no. 7 for each IAM user that you want to examine, created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud Platform (GCP) account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested project identifiers (IDs): 

PROJECT_ID
  cc-prod-app-123123
  cc-project5-123456

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the Google Cloud project that you want to examine as the identifier parameter and custom query filters to describe the Identity and Access Management (IAM) policy available for the selected project, in JSON format: 

gcloud projects get-iam-policy cc-prod-app-123123 
  --format=json

04 The command output should return the requested IAM policy (JSON format): 

{
	"bindings": [
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudfunctions.admin"
		},
		{
			"members": [
				"user:developer@domain.com"
			],
			"role": "roles/cloudkms.cryptoKeyDecrypter"
		},
		{
			"members": [
				"serviceAccount:123456789012@cloudservices.gserviceaccount.com"
			],
			"role": "roles/editor"
		}
	],
	"etag": "ABCDABCDABCD",
	"version": 3
}

Check the names of the roles (i.e. "role" property value) associated your IAM users. If an IAM user is associated with the "roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoOperator", or "roles/cloudkms.cryptoKeyEncrypterDecrypter" role, the IAM user is able to perform decrypt operations. If the user can perform decrypt operations but the associated role does not have any conditions (no "condition" elements are found), the IAM user can use any KMS key to decrypt data. If the associated role has one or more conditions, click on the condition name and check the "expression" attribute value to determine if the condition prevents data decryption with any KMS key. If none of the listed conditions prevent data decryption with any KMS key, the selected IAM user can use any key to decrypt data, making the IAM user access configuration non-compliant.

05 Repeat steps no. 3 and 4 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To ensure that the IAM users with data decryption permissions are using conditions to enforce strict controls, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS.

06 Click inside the Filter box and perform the following actions:

  1. Select Type and choose User to return the IAM users available for the selected project.
  2. Select Role, type Cloud KMS CryptoKey Decrypter, and press Enter to return the IAM users with the Cloud KMS CryptoKey Decrypter role.
  3. Select OR, choose Role, type Cloud KMS Crypto Operator, and press Enter to return the users with the Cloud KMS Crypto Operator role.
  4. Select OR, choose Role, type Cloud KMS CryptoKey Encrypter/Decrypter, and press Enter to return the IAM users with the Cloud KMS CryptoKey Encrypter/Decrypter role.

07 Choose the IAM user that you want to configure and click on the Edit principal button (pencil icon) to modify the user permissions.

08 In the Assign roles section, perform the following actions:

  1. Identify the role that allows the IAM user to perform decrypt operations (Cloud KMS CryptoKey Decrypter, Cloud KMS Crypto Operator, or Cloud KMS CryptoKey Encrypter/Decrypter role) and choose ADD IAM CONDITION.
  2. On the Add condition configuration pane, perform the following actions:
    1. Specify a unique title and provide a short description for the new condition.
    2. For Condition type select Type, for Operator select is, and for Resource Type select cloudkms.googleapis.com/CryptoKey to define your condition based on the KMS key resource.
    3. Choose ADD. For Condition type select Name, for Operator select is, and for Value enter the name of the KMS key that your IAM user can use to perform decrypt operations. You can also use other operators such as Starts with and Ends with to restrict access to specific KMS keys.
    4. Choose SAVE to create your new IAM condition.

09 Choose SAVE to apply the permission changes.

10 Repeat steps no. 7 - 9 for each IAM user that you want to configure, created for the selected GCP project.

11 Repeat steps no. 2 – 10 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for your Google Cloud project: 

gcloud projects get-iam-policy cc-prod-app-123123
  --format=json

02 The command output should return the requested IAM policy: 

{
	"bindings": [
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudfunctions.admin"
		},
		{
			"members": [
				"user:developer@domain.com"
			],
			"role": "roles/cloudkms.cryptoKeyDecrypter"
		},
		{
			"members": [
				"serviceAccount:123456789012@cloudservices.gserviceaccount.com"
			],
			"role": "roles/editor"
		}
	],
	"etag": "ABCDABCDABCD",
	"version": 3
}

03 Edit the IAM policy returned at the previous step and add conditions for the role bindings with the name "roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoOperator", or "roles/cloudkms.cryptoKeyEncrypterDecrypter" in order to prevent data decryption with any KMS key. After the policy is modified, save the policy document to a JSON file named restrict-data-decryption-policy.json. For example, in the following IAM policy, the condition defined for the IAM user with the "roles/cloudkms.cryptoKeyDecrypter" role allows data decryption with the specified key only, preventing decryption operations with any KMS key: 

{
	"bindings": [
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudfunctions.admin"
		},
		{
			"members": [
				"user:developer@domain.com"
			],
			"role": "roles/cloudkms.cryptoKeyDecrypter",
			"condition": {
				"description": "Decrypt Data with Project5 Key Only",
				"expression": "resource.type == \"cloudkms.googleapis.com/CryptoKey\" &&\nresource.name == \"tm-project5-kms-key\"",
				"title": "Project5 Key Only"
			}
		},
		{
			"members": [
				"serviceAccount:123456789012@cloudservices.gserviceaccount.com"
			],
			"role": "roles/editor"
		}
	],
	"etag": "ABCDABCDABCD",
	"version": 3
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update your IAM policy with the policy document modified at the previous step (i.e. restrict-data-decryption-policy.json): 

gcloud projects set-iam-policy cc-prod-app-123123 restrict-data-decryption-policy.json

05 The command request should return the information for the modified IAM policy: 

Updated IAM policy for project [cc-prod-app-123123].
bindings:
- members:
	- serviceAccount:123456789012-compute@developer.gserviceaccount.com
	role: roles/cloudfunctions.admin
- members:
	- serviceAccount:123456789012@cloudservices.gserviceaccount.com
	role: roles/editor
- members:
	- user:user:developer@domain.com
	role: roles/cloudkms.cryptoKeyDecrypter
- condition:
	description: Decrypt Data with Project5 Key Only
	expression: |-
	resource.type == "cloudkms.googleapis.com/CryptoKey" &&
	resource.name == "tm-project5-kms-key"
	title: Project5 Key Only
members:
	- user:user:developer@domain.com
	role: roles/cloudkms.cryptoKeyDecrypter
etag: ABCDABCDABCD
version: 1

06 Repeat steps no. 1 – 5 for each GCP project deployed within your Google Cloud account.

References

Publication date May 3, 2024

Related IAM rules