Detect KMS Keys That Are Scheduled To Be Destroyed

More Info:

Detect the KMS Keys that are scheduled to be destroyed. NOTE: Data encrypted using the key cannot be decrypted once the key has been destroyed.

Risk Level

High

Address

Operational Maturity, Security

Compliance Standards

HITRUST

Triage and Remediation

Remediation

Using Console

Using CLI

To detect KMS keys that are scheduled to be destroyed in GCP, you can use the following steps:

Open the Cloud Shell in your GCP console.
Run the following command to list all the KMS keys that are scheduled for destruction:

gcloud kms keys list --filter="destroyScheduledTime.datetime() < datetime('now')"

This command will return a list of all the KMS keys that are scheduled for destruction. Note down the name of the key that you want to remediate.
To cancel the scheduled destruction of the key, run the following command:

gcloud kms keys undelete [KEY-NAME]

Replace [KEY-NAME] with the name of the key that you want to remediate.

This command will cancel the scheduled destruction of the key and the key will be available for use again.
Verify that the key is no longer scheduled for destruction by running the first command again.

By following these steps, you can remediate the misconfiguration of scheduled destruction of KMS keys in GCP using GCP CLI.

Using Python

To detect KMS keys that are scheduled to be destroyed in GCP using Python, you can use the Google Cloud KMS API. Here are the steps to remediate this issue:

First, you need to authenticate and authorize your application to access the Google Cloud KMS API. You can use a service account key file for this purpose. You can create a service account and download the key file from the Google Cloud Console.
Install the Google Cloud KMS API client library for Python using pip:
```
pip install google-cloud-kms
```

Use the following Python code to detect KMS keys that are scheduled to be destroyed:

from google.cloud import kms_v1
from google.oauth2 import service_account

# Replace [PROJECT_ID] with your GCP project ID
project_id = '[PROJECT_ID]'

# Replace [PATH_TO_KEY_FILE] with the path to your service account key file
credentials = service_account.Credentials.from_service_account_file('[PATH_TO_KEY_FILE]')

# Create a client to access the KMS API
client = kms_v1.KeyManagementServiceClient(credentials=credentials)

# List all the KMS keys in the project
parent = f'projects/{project_id}/locations/global'
response = client.list_key_rings(parent)

# Check if any of the KMS keys are scheduled to be destroyed
for key_ring in response:
    for crypto_key in key_ring.crypto_keys:
        if crypto_key.destroy_scheduled_duration.seconds > 0:
            print(f'KMS key {crypto_key.name} is scheduled to be destroyed in {crypto_key.destroy_scheduled_duration.seconds} seconds')

Once you have identified the KMS keys that are scheduled to be destroyed, you can either cancel the destruction or rotate the keys to new ones. Here are the steps for each option:

To cancel the destruction, use the following Python code:

# Replace [KEY_NAME] with the name of the KMS key that you want to cancel the destruction for
key_name = '[KEY_NAME]'

# Create a request to update the KMS key
update_mask = {'paths': ['destroy_scheduled_duration']}
crypto_key = {'name': key_name, 'destroy_scheduled_duration': {'seconds': 0}}
request = {'crypto_key': crypto_key, 'update_mask': update_mask}

# Send the request to the KMS API to update the KMS key
response = client.update_crypto_key(request)

To rotate the keys to new ones, use the following Python code:

# Replace [KEY_NAME] with the name of the KMS key that you want to rotate
key_name = '[KEY_NAME]'

# Create a request to rotate the KMS key
rotation_period = {'seconds': 604800}  # Rotate the key every 7 days
request = {'name': key_name, 'rotation_period': rotation_period}

# Send the request to the KMS API to rotate the KMS key
response = client.update_crypto_key(request)

Note: Rotating the keys to new ones is a best practice to ensure the security of your data.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Detect KMS Keys That Are Scheduled To Be Destroyed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation