app_engine_application_iap_enabledaudit_logging_configured_for_all_servicebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_dataset_restrict_gmailbigquery_dataset_restrict_googlegroupsbigquery_table_encrypted_with_cmkcloudfunction_function_no_deployments_manager_permissioncloudfunction_function_no_disrupt_logging_permissioncloudfunction_function_no_ingress_settings_allow_allcloudfunction_function_restrict_public_accesscloudfunction_function_restricted_permissioncloudfunction_function_vpc_connector_enabledcloudrun_service_restrict_public_accesscompute_backend_bucket_no_dangling_storage_bucketcompute_disk_encrypted_with_cskcompute_external_backend_service_iap_enabledcompute_firewall_allow_connections_proxied_by_iapcompute_firewall_allow_tcp_connections_proxied_by_iapcompute_firewall_default_rule_restrict_ingress_access_except_http_and_httpscompute_firewall_rule_ingress_access_restricted_to_dns_port_53compute_firewall_rule_ingress_access_restricted_to_ftp_port_21compute_firewall_rule_ingress_access_restricted_to_http_port_80compute_firewall_rule_ingress_access_restricted_to_microsoft_ds_port_445compute_firewall_rule_ingress_access_restricted_to_mongo_db_port_27017compute_firewall_rule_ingress_access_restricted_to_mysql_db_port_3306compute_firewall_rule_ingress_access_restricted_to_netbios_snn_port_139compute_firewall_rule_ingress_access_restricted_to_oracle_db_port_1521compute_firewall_rule_ingress_access_restricted_to_pop3_port_110compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10250compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10255compute_firewall_rule_ingress_access_restricted_to_postgresql_port_5432compute_firewall_rule_ingress_access_restricted_to_smtp_port_25compute_firewall_rule_ingress_access_restricted_to_telnet_port_23compute_firewall_rule_rdp_access_restrictedcompute_firewall_rule_restrict_ingress_allcompute_firewall_rule_restrict_ingress_all_with_no_specific_targetcompute_firewall_rule_ssh_access_restrictedcompute_https_load_balancer_logging_enabledcompute_instance_block_project_wide_ssh_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_no_data_destruction_permissioncompute_instance_no_database_write_permissioncompute_instance_no_deployments_manager_permissioncompute_instance_no_disrupt_logging_permissioncompute_instance_no_iam_write_permissioncompute_instance_no_service_account_impersonate_permissioncompute_instance_no_write_permission_on_deny_policycompute_instance_oslogin_enabledcompute_instance_preemptible_termination_disabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_template_ip_forwarding_disabledcompute_instance_with_custom_metadatacompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_instance_wth_no_high_level_basic_rolecompute_network_auto_create_subnetwork_enabledcompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_network_dns_logging_enabledcompute_ssl_policy_with_no_weak_ciphercompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_target_https_proxy_quic_protocol_enabledcompute_target_https_proxy_quic_protocol_no_default_ssl_policycompute_target_https_uses_latest_tls_versiondataproc_cluster_encryption_with_cmekdns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_api_key_age_90iam_api_key_restricts_apisiam_api_key_restricts_websites_hosts_appsiam_service_account_gcp_managed_keyiam_service_account_key_age_100iam_service_account_key_age_90iam_service_account_without_admin_privilegeiam_user_denylist_publiciam_user_kms_separation_of_duty_enforcediam_user_not_assigned_service_account_user_role_project_leveliam_user_separation_of_duty_enforcediam_user_uses_corporate_login_credentialskms_key_not_publicly_accessiblekms_key_rotated_within_100_daykms_key_rotated_within_90_daykms_key_separation_of_duties_enforcedkubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_authorization_enabledkubernetes_cluster_client_certificate_authentication_enabledkubernetes_cluster_dashboard_disabledkubernetes_cluster_database_encryption_enabledkubernetes_cluster_http_load_balancing_enabledkubernetes_cluster_incoming_traffic_open_to_allkubernetes_cluster_intra_node_visibility_enabledkubernetes_cluster_kubernetes_alpha_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_logging_enabledkubernetes_cluster_master_authorized_networks_config_enabledkubernetes_cluster_monitoring_enabledkubernetes_cluster_network_policy_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_default_networkkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_node_no_default_service_accountkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_private_nodes_configuredkubernetes_cluster_release_channel_configuredkubernetes_cluster_service_account_defaultkubernetes_cluster_shielded_instance_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_use_ip_aliaseskubernetes_cluster_with_less_than_three_node_auto_upgrade_enabledkubernetes_cluster_with_resource_labelskubernetes_cluster_zone_redundantlogging_bucket_retention_policy_enabledlogging_metric_alert_audit_configuration_changeslogging_metric_alert_custom_role_changeslogging_metric_alert_firewall_rule_changeslogging_metric_alert_network_changeslogging_metric_alert_network_route_changeslogging_metric_alert_project_ownership_assignmentlogging_metric_alert_sql_instance_configuration_changeslogging_metric_alert_storage_iam_permission_changeslogging_sink_configured_for_all_resourcemanual_controlorganization_essential_contacts_configuredproject_access_approval_settings_enabledproject_no_api_keyproject_service_cloudasset_api_enabledproject_service_container_scanning_api_enabledsql_instance_automated_backups_enabledsql_instance_mysql_binary_log_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_not_open_to_internetsql_instance_not_publicly_accessiblesql_instance_postgresql_cloudsql_pgaudit_database_flag_enabledsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_error_verbosity_database_flag_default_or_strictersql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_database_flag_configuredsql_instance_postgresql_log_min_messages_database_flag_errorsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_database_flag_ddlsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_3625_trace_database_flag_onsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_connections_database_flag_configuredsql_instance_sql_user_options_database_flag_not_configuredsql_instance_with_labelssql_instance_with_no_public_ipsstorage_bucket_bucket_policy_only_enabledstorage_bucket_log_retention_policy_enabledstorage_bucket_log_retention_policy_lock_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_uniform_access_enabled
Query: kms_key_separation_of_duties_enforced
Usage
powerpipe query gcp_compliance.query.kms_key_separation_of_duties_enforcedSteampipe Tables
SQL
with users_with_roles as ( select distinct split_part(member_entity, ':', 2) as user_name, project, _ctx, array_agg(distinct p ->> 'role') as assigned_roles from gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as member_entity where split_part(member_entity, ':', 1) = 'user' group by user_name, project, _ctx),kms_roles_users as ( select user_name, project, assigned_roles from users_with_roles where 'roles/cloudkms.admin' = any(assigned_roles) and assigned_roles && array [ 'roles/cloudkms.cryptoKeyEncrypterDecrypter', 'roles/cloudkms.cryptoKeyEncrypter', 'roles/cloudkms.cryptoKeyDecrypter' ])select distinct r.user_name as resource, case when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then 'ok' when k.user_name is not null then 'alarm' else 'ok' end as status, case when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then r.user_name || ' assigned only with KMS admin role.' when k.user_name is not null then r.user_name || ' assigned with roles/cloudkms.admin, ' || concat_ws( ', ', case when 'roles/cloudkms.cryptoKeyEncrypterDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypterDecrypter' end, case when 'roles/cloudkms.cryptoKeyEncrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypter' end, case when 'roles/cloudkms.cryptoKeyDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyDecrypter' end ) || ' KMS role(s).' else r.user_name || ' not assigned with KMS admin and additional encrypter/decrypter roles.' end as reason, r.project as projectfrom users_with_roles as r left join kms_roles_users as k on k.user_name = r.user_name and k.project = r.projectControls
The query is being used by the following controls:
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
- Ensure that Separation of duties is enforced while assigning KMS related roles to users