Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Error: GCP KMS crypto key is anonymously accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_9
Checkov Check ID: CKV2_GCP_6
Severity: LOW
GCP KMS crypto key is anonymously accessible
Description
It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.
Fix - Buildtime
Terraform
- Resource: google_kms_crypto_key
- Argument: google_kms_crypto_key_iam_member / google_kms_crypto_key_iam_binding
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "bad_key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "100000s"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key_iam_member" "bad_member_1" {
crypto_key_id = google_kms_crypto_key.bad_key.id
role = "roles/cloudkms.cryptoKeyEncrypter"
- member = "allUsers"
}
resource "google_kms_crypto_key_iam_member" "bad_member_2" {
crypto_key_id = google_kms_crypto_key.bad_key.id
role = "roles/cloudkms.cryptoKeyEncrypter"
- member = "allAuthenticatedUsers"
}
resource "google_kms_crypto_key_iam_binding" "bad_binding_1" {
crypto_key_id = google_kms_crypto_key.bad_key.id
role = "roles/cloudkms.cryptoKeyEncrypter"
- members = [
- "allUsers",
- ]
}
resource "google_kms_crypto_key_iam_binding" "bad_binding_2" {
crypto_key_id = google_kms_crypto_key.bad_key.id
role = "roles/cloudkms.cryptoKeyEncrypter"
- members = [
- "allAuthenticatedUsers",
- ]
}
resource "google_kms_crypto_key" "good_key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "100000s"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key_iam_member" "good_member" {
crypto_key_id = google_kms_crypto_key.good_key.id
role = "roles/cloudkms.cryptoKeyEncrypter"
+ member = "user:[email protected]"
}
resource "google_kms_crypto_key_iam_binding" "good_binding" {
crypto_key_id = google_kms_crypto_key.good_key.id
role = "roles/cloudkms.cryptoKeyEncrypter"
+ members = [
+ "user:[email protected]",
+ ]
}
Updated 6 months ago