More Info:

Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible.

Risk Level

Critical

Address

Security

Compliance Standards

CISGCP, CBP

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the “KMS Cryptokeys Should Not Be Public” misconfiguration in GCP using the GCP console:

  1. Open the GCP console and navigate to the “Cloud KMS” page.

  2. Select the key ring that contains the public key that needs to be remediated.

  3. Click on the key that contains the public key that needs to be remediated.

  4. Click on the “Permissions” tab.

  5. Under the “Members” section, locate the user or group that has public access to the key.

  6. Click on the drop-down menu next to the user or group and select “Remove”.

  7. Click on the “Save” button to save the changes.

  8. Repeat steps 5-7 for any other users or groups that have public access to the key.

  9. Once all public access has been removed, click on the “IAM” tab.

  10. Check the IAM policies for the key and ensure that only authorized users or groups have access.

  11. Remove any unnecessary or overly permissive IAM policies.

  12. Click on the “Save” button to save the changes.

By following these steps, you will have successfully remediated the “KMS Cryptokeys Should Not Be Public” misconfiguration in GCP using the GCP console.

Using CLI

To remediate the KMS Cryptokeys Should Not Be Public issue for GCP using GCP CLI, please follow these steps:

  1. Open the Cloud Shell in your GCP console.

  2. Run the following command to list all the KMS keys in your project:

    gcloud kms keys list --location=global --keyring=<keyring-name>

    Replace <keyring-name> with the name of the keyring containing the keys you want to check.

  3. Identify the key(s) that have the public key policy set.

  4. Run the following command to remove the public key policy from the identified key(s):

    gcloud kms keys set-iam-policy <key-name> <path-to-iam-policy-file>

    Replace <key-name> with the name of the identified key and <path-to-iam-policy-file> with the path to a file containing the new IAM policy for the key.

    Here’s an example of a new IAM policy that removes the public key policy:

    {
    "bindings": [
        {
            "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter",
            "members": [
                "serviceAccount:<service-account-email>"
            ]
        }
    ]
}

    Replace <service-account-email> with the email address of a service account that needs access to the key.

  5. Verify that the public key policy has been removed from the identified key(s) by running the following command:

    gcloud kms keys get-iam-policy <key-name>

    Replace <key-name> with the name of the identified key.

    This should return the new IAM policy that you set in step 4 without the public key policy.

  6. Repeat steps 3-5 for any other identified keys that have the public key policy set.

Once you have completed these steps, your KMS Cryptokeys should no longer be public.

Using Python

To remediate the misconfiguration “KMS Cryptokeys Should Not Be Public” in GCP using Python, you can follow the below steps:

  1. First, you need to check if there are any publicly exposed KMS Cryptokeys in your GCP project. You can use the following Python code to list all the KMS Cryptokeys in your project:
from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

project_id = 'your-project-id'

parent = f'projects/{project_id}'

# List all the KMS Cryptokeys in the project
response = client.list_crypto_keys(parent)

for crypto_key in response.crypto_keys:
    print(crypto_key.name)
  1. Once you have the list of all the KMS Cryptokeys in your project, you need to check if any of them are public. You can use the following Python code to check if a KMS Cryptokey is public:
from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

key_name = 'projects/your-project-id/locations/global/keyRings/your-keyring/cryptoKeys/your-cryptokey'

# Get the KMS Cryptokey IAM policy
response = client.get_iam_policy(key_name)

# Check if any member has 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role
for binding in response.bindings:
    if 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in binding['role']:
        if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
            print(f"The KMS Cryptokey {key_name} is public.")
  1. If you find any publicly exposed KMS Cryptokeys, you need to remove the public access. You can use the following Python code to remove public access from a KMS Cryptokey:
from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()

key_name = 'projects/your-project-id/locations/global/keyRings/your-keyring/cryptoKeys/your-cryptokey'

# Get the KMS Cryptokey IAM policy
policy = client.get_iam_policy(key_name)

# Remove the 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role from 'allUsers' and 'allAuthenticatedUsers'
for binding in policy.bindings:
    if 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in binding['role']:
        if 'allUsers' in binding['members']:
            binding['members'].remove('allUsers')
        if 'allAuthenticatedUsers' in binding['members']:
            binding['members'].remove('allAuthenticatedUsers')

# Update the KMS Cryptokey IAM policy
update_mask = {'paths': ['bindings']}
client.set_iam_policy(key_name, policy, update_mask)

By following the above steps, you can remediate the misconfiguration “KMS Cryptokeys Should Not Be Public” in GCP using Python.