GCP Cloud KMS Key Rings are anonymously or publicly accessible

Description

GCP Cloud KMS key rings contain your encryption keys, and allowing anonymous or public access to a key ring grants permissions for anyone to access the cryptokeys stored inside the ring. CryptoKeys should only be accessed by trusted parties because they are commonly used to protect sensitive data. We recommend you ensure anonymous and public access to KMS key rings is not allowed.

Code Example

text

{
 "
 //Option 1
resource "google_kms_key_ring_iam_member" "member" {
  key_ring_id = google_kms_key_ring.default.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"
-  member        = "allUsers"
-  member        = "allAuthenticatedUsers"
}


//Option 2
resource "google_kms_key_ring_iam_binding" "binding" {
  key_ring_id = google_kms_key_ring.default.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"
  members = [
-    "allUsers",
-    "allAuthenticatedUsers"
  ]
}

",
}

Remediation

GCP Console*

To change the policy using the GCP Console, follow these steps:

. Log in to the GCP Console at https://console.cloud.google.com.

. Navigate to https://console.cloud.google.com/security/kms/keyrings [Key Management].

. On the * Key Rings* details page, select your key ring.

. Click the * SHOW INFO PANEL* side bar.

. To remove a specific role assignment, to the front of * allUsers* and * allAuthenticatedUsers*, click * Delete*.

CLI Command*

To remove access to * allUsers* and * allAuthenticatedUsers*, use the following command:

gcloud kms keyrings remove-iam-policy-binding KEY-RING
--location LOCATION
--member PRINCIPAL
--role roles/ROLE-NAME

Replace * KEY-RING* with the name of the key ring. Replace * LOCATION* with the location of the key ring. Replace * PRINCIPAL* with either * allUsers* or * allAuthenticatedUsers*. Replace * ROLE-NAME* with the name of the role to remove. === Fix - Buildtime

Terraform

Resource: google_kms_key_ring_iam_member
Field: member
Resource: google_kms_key_ring_iam_binding
Field: members

Rule Details

Field	Value
ID	IAC-0993
Severity	HIGH
IaC Type	Terraform
Frameworks	Terraform
Checkov ID	CKV2_GCP_8

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

GCP Cloud KMS Key Rings are anonymously or publicly accessible

Description

Code Example

Remediation

To remove access to * allUsers* and * allAuthenticatedUsers*, use the following command:

gcloud kms keyrings remove-iam-policy-binding KEY-RING
--location LOCATION
--member PRINCIPAL
--role roles/ROLE-NAME

Rule Details

References

SAST Rules

IaC Rules

License Rules

GCP Cloud KMS Key Rings are anonymously or publicly accessible ​

Description ​

Code Example ​

Remediation ​

To remove access to * allUsers* and * allAuthenticatedUsers*, use the following command: ​

gcloud kms keyrings remove-iam-policy-binding KEY-RING --location LOCATION --member PRINCIPAL --role roles/ROLE-NAME ​

Rule Details ​

References ​

GCP Cloud KMS Key Rings are anonymously or publicly accessible

Description

Code Example

Remediation

To remove access to * allUsers* and * allAuthenticatedUsers*, use the following command:

gcloud kms keyrings remove-iam-policy-binding KEY-RING
--location LOCATION
--member PRINCIPAL
--role roles/ROLE-NAME

Rule Details

References