KMS Key Should Have Unique Key In Web Tier

​

More Info:

Ensure that there is a KMS Key in the Web-tier in order to protect the data that transits the web stack.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CBP

​

Remediation

​

Using Console

To remediate the misconfiguration “KMS Key Should Have Unique Key In Web Tier” for GCP using GCP console, follow the steps below:

1. Log in to the GCP console using your credentials.
2. Navigate to the Cloud Key Management Service (KMS) page.
3. Select the key that is being used in the web tier.
4. Click on the “Edit” button.
5. In the “Edit Key” panel, scroll down to the “Key Usage” section.
6. Under “Key Usage”, select “Asymmetric Sign/Verify” as the key usage.
7. Click on the “Save” button to save the changes.

This will remediate the misconfiguration by ensuring that the KMS key being used in the web tier has a unique key usage of “Asymmetric Sign/Verify”. This will help to ensure that the key is being used for its intended purpose and is not being used for other purposes that could compromise its security.

​

Using CLI

To remediate the misconfiguration “KMS Key Should Have Unique Key In Web Tier” for GCP, you can follow the below steps using GCP CLI:

1. Open the Cloud Shell in the GCP Console.

2. Run the following command to list all the KMS keys:

   gcloud kms keys list
   

3. Identify the KMS key that is being used in the web tier.

4. Run the following command to generate a new unique key for the KMS key:

   gcloud kms keys add-iam-policy-binding [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudkms.cryptoKeyEncrypterDecrypter
   

   Replace the following values in the above command:

   • [KEY_NAME] with the name of the KMS key that is being used in the web tier.

   • [LOCATION] with the location of the KMS key.

   • [KEYRING_NAME] with the name of the keyring that contains the KMS key.

   • [SERVICE_ACCOUNT_EMAIL] with the email address of the service account that needs access to the KMS key.

5. Run the following command to remove the existing key from the web tier:

   gcloud compute instances add-metadata [INSTANCE_NAME] --metadata [KEY_NAME]=no-longer-used
   

   Replace [INSTANCE_NAME] with the name of the instance running the web tier, and [KEY_NAME] with the name of the KMS key being used in the web tier.

6. Run the following command to add the new key to the web tier:

   gcloud compute instances add-metadata [INSTANCE_NAME] --metadata [KEY_NAME]=[NEW_KEY_NAME]
   

   Replace [INSTANCE_NAME] with the name of the instance running the web tier, [KEY_NAME] with the name of the KMS key being used in the web tier, and [NEW_KEY_NAME] with the name of the new key generated in step 4.

7. Verify that the new key is being used in the web tier by checking the application logs or testing the application.

By following these steps, you can remediate the misconfiguration “KMS Key Should Have Unique Key In Web Tier” for GCP using GCP CLI.

​

Using Python

To remediate the KMS Key Should Have Unique Key misconfiguration in GCP using Python, you can follow the below steps:

1. First, you need to install the Google Cloud KMS Python library. You can install it using the following command:

   pip install google-cloud-kms
   

2. Next, you need to create a new KMS key ring and a new KMS key in your GCP project. You can use the following code to create a new key ring and key:

   from google.cloud import kms_v1
   
   # Create a KMS client
   client = kms_v1.KeyManagementServiceClient()
   
   # Set the project ID and location
   project_id = 'your-project-id'
   location = 'global'
   
   # Set the key ring name and key name
   key_ring_name = 'your-key-ring-name'
   key_name = 'your-key-name'
   
   # Create the key ring
   parent = client.location_path(project_id, location)
   key_ring = client.create_key_ring(parent, key_ring_name, {})
   
   # Create the key
   key = client.create_crypto_key(key_ring.name, key_name, kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, {})
   

   Note: Replace your-project-id, your-key-ring-name, and your-key-name with your own values.

3. Once you have created the new KMS key, you need to update your web tier to use this key instead of any existing keys. You can use the following code to update your web tier:

   from google.cloud import compute_v1
   
   # Create a Compute Engine client
   client = compute_v1.InstancesClient()
   
   # Set the project ID and zone
   project_id = 'your-project-id'
   zone = 'your-zone'
   
   # Set the instance name and network interface name
   instance_name = 'your-instance-name'
   network_interface_name = 'your-network-interface-name'
   
   # Get the instance
   instance = client.get(project_id, zone, instance_name)
   
   # Get the network interface
   network_interface = next(n for n in instance.network_interfaces if n.name == network_interface_name)
   
   # Get the metadata
   metadata = network_interface.metadata
   
   # Update the KMS key in the metadata
   metadata['kms-key'] = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location, key_ring_name, key_name)
   
   # Update the instance with the new metadata
   client.update(project_id, zone, instance_name, {'metadata': metadata})
   

   Note: Replace your-project-id, your-zone, your-instance-name, your-network-interface-name, location, your-key-ring-name, and your-key-name with your own values.

4. Finally, you need to verify that the KMS key is being used correctly by your web tier. You can do this by testing your web tier with some sample data and verifying that the data is encrypted and decrypted correctly using the new KMS key.

By following these steps, you can remediate the KMS Key Should Have Unique Key misconfiguration in GCP using Python.