GCP KMS crypto key is anonymously accessible
Description
Cloud KMS cryptokeys are your encryption keys that protect your data in GCP. Allowing anonymous or public access to a cryptokey could allow untrusted individuals to access your sensitive data. We recommend you ensure anonymous and public access to Cloud KMS cryptokeys is not allowed.
Code Example
{
"gcloud kms keys remove-iam-policy-binding KEY-NAME \\
--keyring KEY-RING \\
--location LOCATION \\
--member PRINCIPAL \\
--role roles/ROLE-NAME",
}Remediation
- GCP Console*
To change the policy using the GCP Console, follow these steps:
. Log in to the https://console.cloud.google.com [GCP Console].
. Navigate to https://console.cloud.google.com/security/kms/keyrings [Key Management].
. On the * Key Rings* details page, select your key ring where your cryptokey is stored.
. Select your cryptokey from the Key ring details page.
. Expand the Info Panel by selecting * Show Info Panel*.
. To remove a specific role assignment, select * allUsers* or * allAuthenticatedUsers*, and then click * Remove member*.
- CLI Command*
To remove access to * allUsers* and * allAuthenticatedUsers*, use the following command:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0991 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_6 |