Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
7Dashboards
510Controls
175Queries
2Variables
GitHub
Loading controls...

Control: 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible

Description

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.

Remediation

From Command Line

  1. List all Cloud KMS Cryptokeys.

    gcloud kms keys list --keyring=[key_ring_name] --location=global --
    format=json | jq '.[].name'

  2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

    gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --
    

    role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] -- keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

Note: By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_1_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_1_9 --share

SQL

This control uses a named query:

kms_key_not_publicly_accessible

Tags

benchmark = cis
category = Compliance
cis_item_id = 1.9
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.3.0
plugin = gcp
service = GCP/KMS