KMS Cryptokeys Should Not Be Public

Using Console

Using CLI

To remediate the KMS Cryptokeys Should Not Be Public issue for GCP using GCP CLI, please follow these steps:

Open the Cloud Shell in your GCP console.
Run the following command to list all the KMS keys in your project:
```
gcloud kms keys list --location=global --keyring=<keyring-name>
```
Replace <keyring-name> with the name of the keyring containing the keys you want to check.
Identify the key(s) that have the public key policy set.
Run the following command to remove the public key policy from the identified key(s):
```
gcloud kms keys set-iam-policy <key-name> <path-to-iam-policy-file>
```
Replace <key-name> with the name of the identified key and <path-to-iam-policy-file> with the path to a file containing the new IAM policy for the key. Here’s an example of a new IAM policy that removes the public key policy:
```
{
    "bindings": [
        {
            "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter",
            "members": [
                "serviceAccount:<service-account-email>"
            ]
        }
    ]
}
```
Replace <service-account-email> with the email address of a service account that needs access to the key.
Verify that the public key policy has been removed from the identified key(s) by running the following command:
```
gcloud kms keys get-iam-policy <key-name>
```
Replace <key-name> with the name of the identified key. This should return the new IAM policy that you set in step 4 without the public key policy.
Repeat steps 3-5 for any other identified keys that have the public key policy set.

Once you have completed these steps, your KMS Cryptokeys should no longer be public.

Using Python

To remediate the misconfiguration “KMS Cryptokeys Should Not Be Public” in GCP using Python, you can follow the below steps:

First, you need to check if there are any publicly exposed KMS Cryptokeys in your GCP project. You can use the following Python code to list all the KMS Cryptokeys in your project:

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

project_id = 'your-project-id'

parent = f'projects/{project_id}'

# List all the KMS Cryptokeys in the project
response = client.list_crypto_keys(parent)

for crypto_key in response.crypto_keys:
    print(crypto_key.name)

Once you have the list of all the KMS Cryptokeys in your project, you need to check if any of them are public. You can use the following Python code to check if a KMS Cryptokey is public:

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

key_name = 'projects/your-project-id/locations/global/keyRings/your-keyring/cryptoKeys/your-cryptokey'

# Get the KMS Cryptokey IAM policy
response = client.get_iam_policy(key_name)

# Check if any member has 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role
for binding in response.bindings:
    if 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in binding['role']:
        if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
            print(f"The KMS Cryptokey {key_name} is public.")

If you find any publicly exposed KMS Cryptokeys, you need to remove the public access. You can use the following Python code to remove public access from a KMS Cryptokey:

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

key_name = 'projects/your-project-id/locations/global/keyRings/your-keyring/cryptoKeys/your-cryptokey'

# Get the KMS Cryptokey IAM policy
policy = client.get_iam_policy(key_name)

# Remove the 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role from 'allUsers' and 'allAuthenticatedUsers'
for binding in policy.bindings:
    if 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in binding['role']:
        if 'allUsers' in binding['members']:
            binding['members'].remove('allUsers')
        if 'allAuthenticatedUsers' in binding['members']:
            binding['members'].remove('allAuthenticatedUsers')

# Update the KMS Cryptokey IAM policy
update_mask = {'paths': ['bindings']}
client.set_iam_policy(key_name, policy, update_mask)

By following the above steps, you can remediate the misconfiguration “KMS Cryptokeys Should Not Be Public” in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

KMS Cryptokeys Should Not Be Public

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation