KMS Admin Roles Should Not Have CryptoKey Role

​

More Info:

Ensure that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user have access to resources out of the scope of duty.

​

Risk Level

Critical

​

Address

Security

​

Compliance Standards

CISGCP, CBP, ISO27001

​

Remediation

​

Using Console

To remediate the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using GCP console, you can follow the below steps:

1. Login to your GCP console and navigate to the IAM & Admin page.
2. In the IAM & Admin page, select the “Roles” tab.
3. Search for the “Cloud KMS Admin” role and click on it.
4. Under the “Permissions” tab, search for the “cloudkms.cryptoKeyRoles.*” permission.
5. Click on the pencil icon next to the “cloudkms.cryptoKeyRoles.*” permission to edit it.
6. Uncheck the “cloudkms.cryptoKeyRoles.*” permission and click on the “Save” button.
7. Verify that the “cloudkms.cryptoKeyRoles.*” permission is no longer present under the “Permissions” tab for the “Cloud KMS Admin” role.

By following the above steps, you have successfully remediated the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using GCP console.

​

Using CLI

To remediate this issue in GCP using GCP CLI, you can follow the below steps:

1. Open the Google Cloud Console and go to the Cloud Shell.

2. Run the following command to list all the KMS admin roles in your project:

   gcloud kms roles list
   

3. Identify the KMS admin role that has the roles/cloudkms.cryptoKeyEncrypterDecrypter role.

4. Run the following command to remove the roles/cloudkms.cryptoKeyEncrypterDecrypter role from the KMS admin role:

   gcloud kms roles revoke [KMS_ADMIN_ROLE] --permission=cloudkms.cryptoKeyEncrypterDecrypter
   

   Replace [KMS_ADMIN_ROLE] with the name of the KMS admin role that you identified in step 3.

5. Verify that the roles/cloudkms.cryptoKeyEncrypterDecrypter role has been removed from the KMS admin role by running the following command:

   gcloud kms roles describe [KMS_ADMIN_ROLE]
   

   Replace [KMS_ADMIN_ROLE] with the name of the KMS admin role that you identified in step 3.

   This command should output the details of the KMS admin role, which should not include the roles/cloudkms.cryptoKeyEncrypterDecrypter role.

By following these steps, you should be able to remediate the issue of KMS admin roles having the roles/cloudkms.cryptoKeyEncrypterDecrypter role in GCP using GCP CLI.

​

Using Python

To remediate the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using Python, you can follow the below steps:

Step 1: Create a list of all the KMS admin roles that have CryptoKey role.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the credentials
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

# Set the project id
project_id = 'your_project_id'

# Create the KMS client
kms_client = build('cloudkms', 'v1', credentials=credentials)

# Get the list of all the KMS admin roles
roles_list = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()

# Create a list of all the KMS admin roles that have CryptoKey role
kms_admin_cryptokey_roles = []

for role in roles_list['bindings']:
    if 'roles/cloudkms.admin' in role['role']:
        for member in role['members']:
            if 'cryptoKey' in member:
                kms_admin_cryptokey_roles.append(role['role'])

Step 2: Remove the CryptoKey role from all the KMS admin roles.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the credentials
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

# Set the project id
project_id = 'your_project_id'

# Create the KMS client
kms_client = build('cloudkms', 'v1', credentials=credentials)

# Remove the CryptoKey role from all the KMS admin roles
for role in kms_admin_cryptokey_roles:
    policy = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()
    for binding in policy['bindings']:
        if binding['role'] == role:
            binding['members'] = [member for member in binding['members'] if 'cryptoKey' not in member]
    kms_client.projects().locations().keyRings().cryptoKeys().setIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name), body={'policy': policy}).execute()

Note: Replace the path/to/service_account.json, your_project_id, location, keyring_name, and cryptokey_name with the actual values in your GCP environment.

​

Additional Reading: