Detect KMS Keys That Are Scheduled To Be Destroyed

​

More Info:

Detect the KMS Keys that are scheduled to be destroyed. NOTE: Data encrypted using the key cannot be decrypted once the key has been destroyed.

​

Risk Level

High

​

Address

Operational Maturity, Security

​

Compliance Standards

HITRUST

​

Remediation

​

Using Console

To detect KMS keys that are scheduled to be destroyed in GCP, follow these steps:

1. Open the Google Cloud Console and select the project where the KMS key is located.
2. In the left-hand menu, select “Security”.
3. Click on “Key Management Service”.
4. In the KMS dashboard, click on “Scheduled for destruction” in the left-hand menu.
5. You will see a list of KMS keys that are scheduled for destruction.

To remediate this issue, you can either cancel the scheduled destruction or create a new key to replace the one that is scheduled for destruction. To cancel the scheduled destruction, follow these steps:

1. Select the KMS key that is scheduled for destruction.
2. Click on “Cancel destruction” in the top menu.
3. Confirm the cancellation.

To create a new key to replace the one that is scheduled for destruction, follow these steps:

1. Click on “Create key” in the top menu.
2. Choose the key type and key version.
3. Enter a name for the key.
4. Click on “Create”.

Note: Be sure to update any applications or services that use the original KMS key with the new key.

​

Using CLI

To detect KMS keys that are scheduled to be destroyed in GCP, you can use the following steps:

1. Open the Cloud Shell in your GCP console.

2. Run the following command to list all the KMS keys that are scheduled for destruction:

gcloud kms keys list --filter="destroyScheduledTime.datetime() < datetime('now')"

3. This command will return a list of all the KMS keys that are scheduled for destruction. Note down the name of the key that you want to remediate.

4. To cancel the scheduled destruction of the key, run the following command:

gcloud kms keys undelete [KEY-NAME]

Replace [KEY-NAME] with the name of the key that you want to remediate.

5. This command will cancel the scheduled destruction of the key and the key will be available for use again.

6. Verify that the key is no longer scheduled for destruction by running the first command again.

By following these steps, you can remediate the misconfiguration of scheduled destruction of KMS keys in GCP using GCP CLI.

​

Using Python

To detect KMS keys that are scheduled to be destroyed in GCP using Python, you can use the Google Cloud KMS API. Here are the steps to remediate this issue:

1. First, you need to authenticate and authorize your application to access the Google Cloud KMS API. You can use a service account key file for this purpose. You can create a service account and download the key file from the Google Cloud Console.

2. Install the Google Cloud KMS API client library for Python using pip:

   pip install google-cloud-kms
   

3. Use the following Python code to detect KMS keys that are scheduled to be destroyed:

   from google.cloud import kms_v1
   from google.oauth2 import service_account
   
   # Replace [PROJECT_ID] with your GCP project ID
   project_id = '[PROJECT_ID]'
   
   # Replace [PATH_TO_KEY_FILE] with the path to your service account key file
   credentials = service_account.Credentials.from_service_account_file('[PATH_TO_KEY_FILE]')
   
   # Create a client to access the KMS API
   client = kms_v1.KeyManagementServiceClient(credentials=credentials)
   
   # List all the KMS keys in the project
   parent = f'projects/{project_id}/locations/global'
   response = client.list_key_rings(parent)
   
   # Check if any of the KMS keys are scheduled to be destroyed
   for key_ring in response:
       for crypto_key in key_ring.crypto_keys:
           if crypto_key.destroy_scheduled_duration.seconds > 0:
               print(f'KMS key {crypto_key.name} is scheduled to be destroyed in {crypto_key.destroy_scheduled_duration.seconds} seconds')
   

4. Once you have identified the KMS keys that are scheduled to be destroyed, you can either cancel the destruction or rotate the keys to new ones. Here are the steps for each option:

   • To cancel the destruction, use the following Python code:

     # Replace [KEY_NAME] with the name of the KMS key that you want to cancel the destruction for
     key_name = '[KEY_NAME]'
     
     # Create a request to update the KMS key
     update_mask = {'paths': ['destroy_scheduled_duration']}
     crypto_key = {'name': key_name, 'destroy_scheduled_duration': {'seconds': 0}}
     request = {'crypto_key': crypto_key, 'update_mask': update_mask}
     
     # Send the request to the KMS API to update the KMS key
     response = client.update_crypto_key(request)
     

   • To rotate the keys to new ones, use the following Python code:

     # Replace [KEY_NAME] with the name of the KMS key that you want to rotate
     key_name = '[KEY_NAME]'
     
     # Create a request to rotate the KMS key
     rotation_period = {'seconds': 604800}  # Rotate the key every 7 days
     request = {'name': key_name, 'rotation_period': rotation_period}
     
     # Send the request to the KMS API to rotate the KMS key
     response = client.update_crypto_key(request)
     

   Note: Rotating the keys to new ones is a best practice to ensure the security of your data.