Ensure GCP Cloud KMS Key Rings are not anonymously or publicly accessible

Error: GCP Cloud KMS Key Rings are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_18
Checkov Check ID: CKV2_GCP_8
Bridgecrew Severity: HIGH
Prisma Cloud severity: HIGH

GCP Cloud KMS Key Rings are anonymously or publicly accessible

Description

GCP Cloud KMS key rings contain your encryption keys, and allowing anonymous or public access to a key ring grants permissions for anyone to access the cryptokeys stored inside the ring. CryptoKeys should only be accessed by trusted parties because they are commonly used to protect sensitive data.

We recommend you ensure anonymous and public access to KMS key rings is not allowed.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Key Management.
  3. On the Key Rings details page, select your key ring.
  4. Click the SHOW INFO PANEL side bar.
  5. To remove a specific role assignment, to the front of allUsers and allAuthenticatedUsers, click Delete.

CLI Command

To remove access to allUsers and allAuthenticatedUsers, use the following command:

gcloud kms keyrings remove-iam-policy-binding KEY-RING \
    --location LOCATION \
    --member PRINCIPAL \
    --role roles/ROLE-NAME

Replace KEY-RING with the name of the key ring. Replace LOCATION with the location of the key ring. Replace PRINCIPAL with either allUsers or allAuthenticatedUsers. Replace ROLE-NAME with the name of the role to remove.

Fix - Buildtime

Terraform

  • Resource: google_kms_key_ring_iam_member
  • Field: member
  • Resource: google_kms_key_ring_iam_binding
  • Field: members
//Option 1
resource "google_kms_key_ring_iam_member" "member" {
  key_ring_id = google_kms_key_ring.default.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"
-  member        = "allUsers"
-  member        = "allAuthenticatedUsers"
}
​
//Option 2
resource "google_kms_key_ring_iam_binding" "binding" {
  key_ring_id = google_kms_key_ring.default.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"
  members = [
-    "allUsers",
-    "allAuthenticatedUsers"
  ]
}