KMS Admin Roles Should Not Have CryptoKey Role

More Info:

Ensure that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user have access to resources out of the scope of duty.

Risk Level

Critical

Address

Security

Compliance Standards

CISGCP, CBP, ISO27001

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this issue in GCP using GCP CLI, you can follow the below steps:

Open the Google Cloud Console and go to the Cloud Shell.
Run the following command to list all the KMS admin roles in your project:
```
gcloud kms roles list
```
Identify the KMS admin role that has the roles/cloudkms.cryptoKeyEncrypterDecrypter role.
Run the following command to remove the roles/cloudkms.cryptoKeyEncrypterDecrypter role from the KMS admin role:
```
gcloud kms roles revoke [KMS_ADMIN_ROLE] --permission=cloudkms.cryptoKeyEncrypterDecrypter
```
Replace [KMS_ADMIN_ROLE] with the name of the KMS admin role that you identified in step 3.
Verify that the roles/cloudkms.cryptoKeyEncrypterDecrypter role has been removed from the KMS admin role by running the following command:
```
gcloud kms roles describe [KMS_ADMIN_ROLE]
```
Replace [KMS_ADMIN_ROLE] with the name of the KMS admin role that you identified in step 3. This command should output the details of the KMS admin role, which should not include the roles/cloudkms.cryptoKeyEncrypterDecrypter role.

By following these steps, you should be able to remediate the issue of KMS admin roles having the roles/cloudkms.cryptoKeyEncrypterDecrypter role in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “KMS Admin Roles Should Not Have CryptoKey Role” in GCP using Python, you can follow the below steps:Step 1: Create a list of all the KMS admin roles that have CryptoKey role.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the credentials
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

# Set the project id
project_id = 'your_project_id'

# Create the KMS client
kms_client = build('cloudkms', 'v1', credentials=credentials)

# Get the list of all the KMS admin roles
roles_list = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()

# Create a list of all the KMS admin roles that have CryptoKey role
kms_admin_cryptokey_roles = []

for role in roles_list['bindings']:
    if 'roles/cloudkms.admin' in role['role']:
        for member in role['members']:
            if 'cryptoKey' in member:
                kms_admin_cryptokey_roles.append(role['role'])

Step 2: Remove the CryptoKey role from all the KMS admin roles.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the credentials
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

# Set the project id
project_id = 'your_project_id'

# Create the KMS client
kms_client = build('cloudkms', 'v1', credentials=credentials)

# Remove the CryptoKey role from all the KMS admin roles
for role in kms_admin_cryptokey_roles:
    policy = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()
    for binding in policy['bindings']:
        if binding['role'] == role:
            binding['members'] = [member for member in binding['members'] if 'cryptoKey' not in member]
    kms_client.projects().locations().keyRings().cryptoKeys().setIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name), body={'policy': policy}).execute()

Note: Replace the path/to/service_account.json, your_project_id, location, keyring_name, and cryptokey_name with the actual values in your GCP environment.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

KMS Admin Roles Should Not Have CryptoKey Role

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: