> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# KMS Cryptokeys Should Not Be Public

### More Info:

Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible.

### Risk Level

Critical

### Address

Security

### Compliance Standards

CISGCP, CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the "KMS Cryptokeys Should Not Be Public" misconfiguration in GCP using the GCP console:

        1. Open the GCP console and navigate to the "Cloud KMS" page.

        2. Select the key ring that contains the public key that needs to be remediated.

        3. Click on the key that contains the public key that needs to be remediated.

        4. Click on the "Permissions" tab.

        5. Under the "Members" section, locate the user or group that has public access to the key.

        6. Click on the drop-down menu next to the user or group and select "Remove".

        7. Click on the "Save" button to save the changes.

        8. Repeat steps 5-7 for any other users or groups that have public access to the key.

        9. Once all public access has been removed, click on the "IAM" tab.

        10. Check the IAM policies for the key and ensure that only authorized users or groups have access.

        11. Remove any unnecessary or overly permissive IAM policies.

        12. Click on the "Save" button to save the changes.

        By following these steps, you will have successfully remediated the "KMS Cryptokeys Should Not Be Public" misconfiguration in GCP using the GCP console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the KMS Cryptokeys Should Not Be Public issue for GCP using GCP CLI, please follow these steps:

        1. Open the Cloud Shell in your GCP console.

        2. Run the following command to list all the KMS keys in your project:

           ```
           gcloud kms keys list --location=global --keyring=<keyring-name>
           ```

           Replace `<keyring-name>` with the name of the keyring containing the keys you want to check.

        3. Identify the key(s) that have the `public` key policy set.

        4. Run the following command to remove the `public` key policy from the identified key(s):

           ```
           gcloud kms keys set-iam-policy <key-name> <path-to-iam-policy-file>
           ```

           Replace `<key-name>` with the name of the identified key and `<path-to-iam-policy-file>` with the path to a file containing the new IAM policy for the key.

           Here's an example of a new IAM policy that removes the `public` key policy:

           ```
           {
               "bindings": [
                   {
                       "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter",
                       "members": [
                           "serviceAccount:<service-account-email>"
                       ]
                   }
               ]
           }
           ```

           Replace `<service-account-email>` with the email address of a service account that needs access to the key.

        5. Verify that the `public` key policy has been removed from the identified key(s) by running the following command:

           ```
           gcloud kms keys get-iam-policy <key-name>
           ```

           Replace `<key-name>` with the name of the identified key.

           This should return the new IAM policy that you set in step 4 without the `public` key policy.

        6. Repeat steps 3-5 for any other identified keys that have the `public` key policy set.

        Once you have completed these steps, your KMS Cryptokeys should no longer be public.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "KMS Cryptokeys Should Not Be Public" in GCP using Python, you can follow the below steps:

        1. First, you need to check if there are any publicly exposed KMS Cryptokeys in your GCP project. You can use the following Python code to list all the KMS Cryptokeys in your project:

        ```python theme={null}
        from google.cloud import kms_v1

        client = kms_v1.KeyManagementServiceClient()

        project_id = 'your-project-id'

        parent = f'projects/{project_id}'

        # List all the KMS Cryptokeys in the project
        response = client.list_crypto_keys(parent)

        for crypto_key in response.crypto_keys:
            print(crypto_key.name)
        ```

        2. Once you have the list of all the KMS Cryptokeys in your project, you need to check if any of them are public. You can use the following Python code to check if a KMS Cryptokey is public:

        ```python theme={null}
        from google.cloud import kms_v1

        client = kms_v1.KeyManagementServiceClient()

        key_name = 'projects/your-project-id/locations/global/keyRings/your-keyring/cryptoKeys/your-cryptokey'

        # Get the KMS Cryptokey IAM policy
        response = client.get_iam_policy(key_name)

        # Check if any member has 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role
        for binding in response.bindings:
            if 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in binding['role']:
                if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
                    print(f"The KMS Cryptokey {key_name} is public.")
        ```

        3. If you find any publicly exposed KMS Cryptokeys, you need to remove the public access. You can use the following Python code to remove public access from a KMS Cryptokey:

        ```python theme={null}
        from google.cloud import kms_v1

        client = kms_v1.KeyManagementServiceClient()

        key_name = 'projects/your-project-id/locations/global/keyRings/your-keyring/cryptoKeys/your-cryptokey'

        # Get the KMS Cryptokey IAM policy
        policy = client.get_iam_policy(key_name)

        # Remove the 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role from 'allUsers' and 'allAuthenticatedUsers'
        for binding in policy.bindings:
            if 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in binding['role']:
                if 'allUsers' in binding['members']:
                    binding['members'].remove('allUsers')
                if 'allAuthenticatedUsers' in binding['members']:
                    binding['members'].remove('allAuthenticatedUsers')

        # Update the KMS Cryptokey IAM policy
        update_mask = {'paths': ['bindings']}
        client.set_iam_policy(key_name, policy, update_mask)
        ```

        By following the above steps, you can remediate the misconfiguration "KMS Cryptokeys Should Not Be Public" in GCP using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
