KMS Key Should Have Unique Key In An App-Tier
More Info:
Ensure that there is a KMS Key in the App-tier in order to protect the data that is transmitted from the application stack.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Remediation
Using Console
To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using GCP console, follow the below steps:
- Login to your GCP console.
- Go to the Cloud KMS page.
- Click on the Key Rings in the left-hand menu.
- Select the key ring in which the misconfigured key is present.
- Select the key that has the misconfiguration.
- Click on the “Edit” button at the top of the page.
- In the “Key rotation” section, enable the “Automatic key rotation” option.
- In the “Labels” section, add a label with a unique key that identifies the key as being used in the app-tier.
- Click on the “Save” button to save the changes.
By following the above steps, you have now remediated the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using GCP console.
Using CLI
To remediate this misconfiguration in GCP using GCP CLI, you can follow the below steps:
-
Open the Cloud Shell in the GCP console.
-
Set the project where the KMS key exists as the default project using the following command:
gcloud config set project [PROJECT_ID] -
Get the list of all the KMS keys in the project using the following command:
gcloud kms keys list -
Identify the KMS key that is used in the app-tier and note down its name.
-
Get the details of the KMS key using the following command:
gcloud kms keys describe [KEY_NAME] -
Check if the key is unique by verifying that it is not used in any other app-tier in the project.
-
If the key is not unique, create a new KMS key using the following command:
gcloud kms keys create [NEW_KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --purpose encryptionReplace [NEW_KEY_NAME] with a unique name for the new KMS key, [LOCATION] with the location where you want to create the key, and [KEYRING_NAME] with the name of the keyring where you want to create the key.
-
Update the app-tier to use the new KMS key.
-
Delete the old KMS key using the following command:
gcloud kms keys delete [KEY_NAME]Replace [KEY_NAME] with the name of the old KMS key that you want to delete.
-
Verify that the misconfiguration has been remediated by checking that the KMS key used in the app-tier is unique and not used in any other app-tier in the project.
Using Python
To remediate the misconfiguration “KMS Key Should Have Unique Key In An App-Tier” for GCP using Python, you can follow these steps:
-
Identify the KMS key that is being used by the App-Tier in GCP.
-
Check if the KMS key is unique and not being used by any other application or service in GCP.
-
If the KMS key is not unique, create a new KMS key for the App-Tier.
-
Update the App-Tier to use the new KMS key.
Here’s the Python code to remediate the misconfiguration:
from google.cloud import kms_v1
# Set the name of the KMS key being used by the App-Tier
key_name = 'projects/<PROJECT_ID>/locations/<LOCATION>/keyRings/<KEYRING_NAME>/cryptoKeys/<KEY_NAME>'
# Create a KMS client
client = kms_v1.KeyManagementServiceClient()
# Check if the KMS key is unique
response = client.list_key_rings(parent='projects/<PROJECT_ID>/locations/<LOCATION>')
for key_ring in response:
for crypto_key in key_ring.crypto_keys:
if crypto_key.name == key_name:
print('KMS key is not unique.')
# Create a new KMS key for the App-Tier
new_key_name = 'projects/<PROJECT_ID>/locations/<LOCATION>/keyRings/<KEYRING_NAME>/cryptoKeys/new_key'
new_key = client.create_crypto_key(parent='projects/<PROJECT_ID>/locations/<LOCATION>/keyRings/<KEYRING_NAME>', crypto_key_id='new_key', purpose=kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT)
# Update the App-Tier to use the new KMS key
# ...
break
else:
continue
break
else:
print('KMS key is unique.')
Note: Replace <PROJECT_ID>, <LOCATION>, <KEYRING_NAME>, <KEY_NAME> with the appropriate values for your GCP project and KMS key.