Cryptographic Keys Should Be Rotated
More Info:
Rotate cryptographic keys on a regular schedule. Thus, key rotation should be enabled on all cryptographic keys. Google will handle the rotation of the encryption key itself, so previous data does not need to be re-encrypted before the rotation occurs.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
GDPR, ISO27001
Remediation
Using Console
Sure, here are the step-by-step instructions to remediate the cryptographic keys rotation misconfiguration in GCP using the GCP console:
- Open the GCP console and go to the Cloud Key Management Service (KMS) page.
- Select the key ring that contains the cryptographic key that needs to be rotated.
- Click on the name of the key that needs to be rotated.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Rotation period” section and select the rotation period that you want to set for the key.
- Click on the “Save” button to apply the changes.
By following these steps, you will be able to remediate the cryptographic key rotation misconfiguration in GCP using the GCP console.
Using CLI
To remediate the cryptographic keys rotation misconfiguration in GCP using GCP CLI, you can follow the below steps:
Step 1: Open the Cloud Shell in GCP Console.
Step 2: Run the following command to list all the cryptographic keys in the project:
gcloud kms keys list --location [LOCATION] --keyring [KEYRING_NAME]
Replace [LOCATION] with the location of the keyring and [KEYRING_NAME] with the name of the keyring.
Step 3: Identify the cryptographic keys that have not been rotated for a long time.
Step 4: Run the following command to rotate the cryptographic key:
gcloud kms keys rotate [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME]
Replace [KEY_NAME] with the name of the cryptographic key, [LOCATION] with the location of the keyring and [KEYRING_NAME] with the name of the keyring.
Step 5: Verify that the cryptographic key has been rotated using the following command:
gcloud kms keys describe [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME]
Replace [KEY_NAME] with the name of the cryptographic key, [LOCATION] with the location of the keyring and [KEYRING_NAME] with the name of the keyring.
Step 6: Repeat steps 4 and 5 for all the cryptographic keys that have not been rotated for a long time.
By following these steps, you can remediate the cryptographic keys rotation misconfiguration in GCP using GCP CLI.
Using Python
To remediate the cryptographic keys rotation misconfiguration in GCP using Python, follow these steps:
- First, you need to identify which cryptographic keys need to be rotated. You can use the GCP Cloud KMS API to list all the keys and their creation date.
from google.cloud import kms_v1
from google.cloud.kms_v1 import enums
# Create a KMS client
client = kms_v1.KeyManagementServiceClient()
# The resource name of the location associated with the key rings.
location = 'projects/[PROJECT_ID]/locations/[LOCATION]'
# List all the key rings in the specified location
parent = client.location_path('[PROJECT_ID]', '[LOCATION]')
response = client.list_key_rings(parent)
# List all the keys in each key ring
for key_ring in response:
key_ring_name = key_ring.name
keys = client.list_crypto_keys(key_ring_name)
for key in keys:
key_name = key.name
key_version = key.primary.name
key_create_time = key.create_time
# Check if the key needs to be rotated based on its creation date
- Once you have identified the keys that need to be rotated, you can use the Cloud KMS API to create a new key version and set it as the primary version.
# Create a new key version
key_version = client.create_crypto_key_version(key_name)
# Set the new key version as the primary version
update_mask = {'paths': ['primary']}
key = {'name': key_name}
key['primary'] = {'name': key_version.name}
client.update_crypto_key(key, update_mask)
- Finally, you should delete the old key versions to ensure that they are no longer used.
# List all the key versions for the key
key_versions = client.list_crypto_key_versions(key_name)
# Delete all the non-primary key versions
for key_version in key_versions:
if key_version.state == enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED and not key_version.name.endswith('primary'):
client.destroy_crypto_key_version(key_version.name)
Make sure you replace the [PROJECT_ID] and [LOCATION] placeholders with your actual project ID and location. Also, ensure that you have the necessary permissions to perform these actions.