Cloud KMS cryptokey is anonymously or publicly accessible

Description

Cloud KMS cryptokeys are your encryption keys that protect your data in GCP. Allowing anonymous or public access to a cryptokey could allow untrusted individuals to access your sensitive data.

We recommend you ensure anonymous and public access to Cloud KMS cryptokeys is not allowed.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

1. Log in to the GCP Console.
2. Navigate to Key Management.
3. On the Key Rings details page, select your key ring where your cryptokey is stored.
4. Select your cryptokey from the Key ring details page.
5. Expand the Info Panel by selecting Show Info Panel.
6. To remove a specific role assignment, select allUsers or allAuthenticatedUsers, and then click Remove member.

CLI Command

To remove access to allUsers and allAuthenticatedUsers, use the following command:

gcloud kms keys remove-iam-policy-binding KEY-NAME \
    --keyring KEY-RING \
    --location LOCATION \
    --member PRINCIPAL \
    --role roles/ROLE-NAME

Replace KEY-NAME with the name of the public cryptokey. Replace KEY-RING with the name of the key ring. Replace LOCATION with the location of the key ring. Replace PRINCIPAL with either allUsers or allAuthenticatedUsers depending on your Checkov error. Replace ROLE-NAME with the name of the role to remove.

Fix - Buildtime

Terraform

• Resource: google_kms_crypto_key_iam_member

• Field: member

• Resource: google_kms_crypto_key_iam_binding

• Field: members

//Option 1
resource "google_kms_crypto_key_iam_member" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

-  member        = "allUsers"
-  member        = "allAuthenticatedUsers"
}

//Option 2
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

  members = [
-    "allUsers",
-    "allAuthenticatedUsers"
  ]
}