KMS policy allows public access
Description
This policy is checking to ensure that the Key Management Service (KMS) policy does not allow public access. The Key Management Service is a critical component for managing encryption keys that are used to secure your data. If a KMS policy allows public access, it means anyone on the internet could potentially access your encryption keys. This is a significant security risk because if malicious actors gain access to your encryption keys, they can encrypt and decrypt your data, leading to potential data breaches or loss. Therefore, it's essential to keep KMS policies restricted to specific, trusted individuals or services.
Code Example
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = google_kms_crypto_key.my_crypto_key.self_link
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"user:[email protected]"
]
}
resource "google_kms_key_ring_iam_binding" "key_ring" {
key_ring_id = google_kms_key_ring.my_key_ring.self_link
role = "roles/cloudkms.admin"
members = [
"user:[email protected]"
]
}Remediation
Terraform
- Resource: "google_kms_crypto_key_iam_policy", "google_kms_crypto_key_iam_binding", "google_kms_crypto_key_iam_member"
- Arguments: policy_data
To fix the issue, you need to ensure that the KMS policy does not allow public access. This can be done by ensuring that the member in the `bindings` block of KMS crypto keys and KMS key rings is not 'allUsers' or 'allAuthenticatedUsers'.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0970 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_112 |