> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# KMS Admin Roles Should Not Have CryptoKey Role

### More Info:

Ensure that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user have access to resources out of the scope of duty.

### Risk Level

Critical

### Address

Security

### Compliance Standards

CISGCP, CBP, ISO27001

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "KMS Admin Roles Should Not Have CryptoKey Role" in GCP using GCP console, you can follow the below steps:

        1. Login to your GCP console and navigate to the IAM & Admin page.
        2. In the IAM & Admin page, select the "Roles" tab.
        3. Search for the "Cloud KMS Admin" role and click on it.
        4. Under the "Permissions" tab, search for the "cloudkms.cryptoKeyRoles.\*" permission.
        5. Click on the pencil icon next to the "cloudkms.cryptoKeyRoles.\*" permission to edit it.
        6. Uncheck the "cloudkms.cryptoKeyRoles.\*" permission and click on the "Save" button.
        7. Verify that the "cloudkms.cryptoKeyRoles.\*" permission is no longer present under the "Permissions" tab for the "Cloud KMS Admin" role.

        By following the above steps, you have successfully remediated the misconfiguration "KMS Admin Roles Should Not Have CryptoKey Role" in GCP using GCP console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate this issue in GCP using GCP CLI, you can follow the below steps:

        1. Open the Google Cloud Console and go to the Cloud Shell.

        2. Run the following command to list all the KMS admin roles in your project:

           ```
           gcloud kms roles list
           ```

        3. Identify the KMS admin role that has the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role.

        4. Run the following command to remove the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role from the KMS admin role:

           ```
           gcloud kms roles revoke [KMS_ADMIN_ROLE] --permission=cloudkms.cryptoKeyEncrypterDecrypter
           ```

           Replace `[KMS_ADMIN_ROLE]` with the name of the KMS admin role that you identified in step 3.

        5. Verify that the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role has been removed from the KMS admin role by running the following command:

           ```
           gcloud kms roles describe [KMS_ADMIN_ROLE]
           ```

           Replace `[KMS_ADMIN_ROLE]` with the name of the KMS admin role that you identified in step 3.

           This command should output the details of the KMS admin role, which should not include the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role.

        By following these steps, you should be able to remediate the issue of KMS admin roles having the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role in GCP using GCP CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "KMS Admin Roles Should Not Have CryptoKey Role" in GCP using Python, you can follow the below steps:

        Step 1: Create a list of all the KMS admin roles that have CryptoKey role.

        ```
        from google.oauth2 import service_account
        from googleapiclient.discovery import build

        # Set the credentials
        credentials = service_account.Credentials.from_service_account_file(
            'path/to/service_account.json')

        # Set the project id
        project_id = 'your_project_id'

        # Create the KMS client
        kms_client = build('cloudkms', 'v1', credentials=credentials)

        # Get the list of all the KMS admin roles
        roles_list = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()

        # Create a list of all the KMS admin roles that have CryptoKey role
        kms_admin_cryptokey_roles = []

        for role in roles_list['bindings']:
            if 'roles/cloudkms.admin' in role['role']:
                for member in role['members']:
                    if 'cryptoKey' in member:
                        kms_admin_cryptokey_roles.append(role['role'])
        ```

        Step 2: Remove the CryptoKey role from all the KMS admin roles.

        ```
        from google.oauth2 import service_account
        from googleapiclient.discovery import build

        # Set the credentials
        credentials = service_account.Credentials.from_service_account_file(
            'path/to/service_account.json')

        # Set the project id
        project_id = 'your_project_id'

        # Create the KMS client
        kms_client = build('cloudkms', 'v1', credentials=credentials)

        # Remove the CryptoKey role from all the KMS admin roles
        for role in kms_admin_cryptokey_roles:
            policy = kms_client.projects().locations().keyRings().cryptoKeys().getIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name)).execute()
            for binding in policy['bindings']:
                if binding['role'] == role:
                    binding['members'] = [member for member in binding['members'] if 'cryptoKey' not in member]
            kms_client.projects().locations().keyRings().cryptoKeys().setIamPolicy(resource='projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, keyring_name, cryptokey_name), body={'policy': policy}).execute()
        ```

        Note: Replace the `path/to/service_account.json`, `your_project_id`, `location`, `keyring_name`, and `cryptokey_name` with the actual values in your GCP environment.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:
