Control: 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
Description
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role Cloud KMS Admin allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s). The built-in/predefined IAM role Cloud KMS CryptoKey Decrypter allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Remediation
No user(s) should have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at the same time.
From Console
- Login to IAM & Admin/IAM
- For any member having
Cloud KMS Adminand any of theCloud KMS CryptoKey Encrypter/Decrypter,Cloud KMS CryptoKey Encrypter,Cloud KMS CryptoKey Decrypterroles granted/assigned, click the Delete Bin icon to remove the role from the member.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v130_1_11Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v130_1_11 --shareSQL
This control uses a named query:
kms_key_separation_of_duties_enforced