KMS Cross Account Access Must Not Be Present
More Info:
Ensure that all KMS keys are configured to be accessed only by trusted accounts in order to prevent unauthorized access
Risk Level
High
Address
Security
Compliance Standards
CBP
Remediation
Using Console
To remediate the KMS Cross Account Access misconfiguration in GCP using the GCP console, follow these steps:
- Open the GCP Console and navigate to the Key Management Service (KMS) page.
- Select the key ring that has cross-account access enabled.
- Click on the key for which cross-account access is enabled.
- Click on the “Permissions” tab.
- Click the “Edit” button at the top of the page.
- Find the member that has cross-account access and click the “X” to remove it.
- Click “Save” to save the changes.
Once you have completed these steps, cross-account access will be disabled for the selected key. Ensure that you have reviewed all the other keys and key rings and disabled cross-account access for any other keys that may have it enabled.
Using CLI
To remediate the KMS Cross Account Access Misconfiguration in GCP using GCP CLI, you can follow these steps:
-
First, you need to identify the KMS keyring and cryptokey that has cross-account access. You can use the following command to list all the KMS keyrings in your GCP project:
gcloud kms keyrings listOnce you have identified the keyring, you can list all the cryptokeys in that keyring using the following command:
gcloud kms keys list --keyring=<keyring-name>Identify the cryptokey that has cross-account access.
-
Once you have identified the cryptokey, you can remove the cross-account access by updating the IAM policy for that cryptokey. You can use the following command to remove all the members from the IAM policy for that cryptokey:
gcloud kms keys set-iam-policy <key-name> /dev/nullThis command sets the IAM policy for the cryptokey to an empty policy, which effectively removes all the members from the policy.
-
Finally, you can verify that the cross-account access has been removed by listing the IAM policy for the cryptokey using the following command:
gcloud kms keys get-iam-policy <key-name>This command should return an empty policy, indicating that there are no members with access to the cryptokey.
By following these steps, you can remediate the KMS Cross Account Access Misconfiguration in GCP using GCP CLI.
Using Python
To remediate the KMS Cross Account Access misconfiguration in GCP using Python, you can follow the below steps:
- First, you need to identify the KMS key that has cross-account access enabled. You can use the following command to list all the KMS keys in your project:
from google.cloud import kms_v1
client = kms_v1.KeyManagementServiceClient()
parent = client.key_ring_path(project_id, location_id, key_ring_id)
response = client.list_crypto_keys(parent)
for crypto_key in response:
print(crypto_key.name)
- Once you have identified the KMS key, you can disable cross-account access by updating the IAM policy of the KMS key. You can use the following code to update the IAM policy:
from google.cloud import kms_v1
client = kms_v1.KeyManagementServiceClient()
resource = client.crypto_key_path(project_id, location_id, key_ring_id, crypto_key_id)
policy = client.get_iam_policy(resource)
for binding in policy.bindings:
if binding.role == 'roles/cloudkms.cryptoKeyEncrypterDecrypter':
binding.condition = None
binding.members = [f'serviceAccount:{project_number}[email protected]']
updated_policy = client.set_iam_policy(resource, policy)
In the above code, we are removing the condition that allows cross-account access and adding the service account of the Compute Engine instance in the same project as a member with the roles/cloudkms.cryptoKeyEncrypterDecrypter role. This will allow the Compute Engine instance to access the KMS key but prevent cross-account access.
- Finally, you can verify that cross-account access has been disabled for the KMS key by running the following command:
from google.cloud import kms_v1
client = kms_v1.KeyManagementServiceClient()
resource = client.crypto_key_path(project_id, location_id, key_ring_id, crypto_key_id)
policy = client.get_iam_policy(resource)
for binding in policy.bindings:
if binding.role == 'roles/cloudkms.cryptoKeyEncrypterDecrypter' and binding.condition:
print('Cross-account access is still enabled')
else:
print('Cross-account access has been disabled')
By following these steps, you can remediate the KMS Cross Account Access misconfiguration in GCP using Python.