Ensure GCP Cloud KMS cryptokey is not anonymously or publicly accessible

Error: GCP Dataproc cluster is anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_9
Checkov Check ID: CKV2_GCP_6
Severity: HIGH

Cloud KMS cryptokey is anonymously or publicly accessible


Cloud KMS cryptokeys are your encryption keys that protect your data in GCP. Allowing anonymous or public access to a cryptokey could allow untrusted individuals to access your sensitive data.

We recommend you ensure anonymous and public access to Cloud KMS cryptokeys is not allowed.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console.
  2. Navigate to Key Management.
  3. On the Key Rings details page, select your key ring where your cryptokey is stored.
  4. Select your cryptokey from the Key ring details page.
  5. Expand the Info Panel by selecting Show Info Panel.
  6. To remove a specific role assignment, select allUsers or allAuthenticatedUsers, and then click Remove member.

CLI Command

To remove access to allUsers and allAuthenticatedUsers, use the following command:

gcloud kms keys remove-iam-policy-binding KEY-NAME \
    --keyring KEY-RING \
    --location LOCATION \
    --member PRINCIPAL \
    --role roles/ROLE-NAME

Replace KEY-NAME with the name of the public cryptokey. Replace KEY-RING with the name of the key ring. Replace LOCATION with the location of the key ring. Replace PRINCIPAL with either allUsers or allAuthenticatedUsers depending on your Checkov error. Replace ROLE-NAME with the name of the role to remove.

Fix - Buildtime


  • Resource: google_kms_crypto_key_iam_member

  • Field: member

  • Resource: google_kms_crypto_key_iam_binding

  • Field: members

//Option 1
resource "google_kms_crypto_key_iam_member" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

-  member        = "allUsers"
-  member        = "allAuthenticatedUsers"

//Option 2
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

  members = [
-    "allUsers",
-    "allAuthenticatedUsers"