More Info:

Ensure that a specific list of KMS CMKs are available for use in your AWS account in order to meet the security and compliance requirements of the organization.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP console, follow these steps:

  1. Open the Google Cloud Console and select the project that you want to work on.

  2. In the navigation menu, select “Security” and then select “Security Health Analytics”.

  3. Under “Security Health Analytics”, select “Findings”.

  4. In the search bar, enter “KMS” and select “KMS Key Ring Has No Rotation Policy”.

  5. This will show you a list of all the KMS key rings that have no rotation policy.

  6. For each key ring that has no rotation policy, click on the key ring name to open it.

  7. In the key ring page, click on the “Edit” button.

  8. Under “Rotation Interval”, select the desired rotation interval from the drop-down menu.

  9. Click on “Save” to save the changes.

  10. Repeat steps 6-9 for all the key rings that have no rotation policy.

By following these steps, you will remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP console.

Using CLI

To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP CLI, you can follow the below steps:

  1. Open the Google Cloud Shell or any terminal window where you have installed the GCP CLI and authenticate with your GCP account using the following command:

    gcloud auth login

  2. Check the list of all the available key rings in the project using the following command:

    gcloud kms keyrings list --location=global

  3. Identify the specific key ring that contains the CMKs that you want to check for existence.

  4. Check the list of all the available Crypto Keys in the identified key ring using the following command:

    gcloud kms keys list --location=global --keyring=<keyring-name>

    Replace <keyring-name> with the name of the identified key ring.

  5. Identify the specific CMK that you want to check for existence.

  6. Check the existence of the identified CMK using the following command:

    gcloud kms keys describe <key-name> --location=global --keyring=<keyring-name>

    Replace <key-name> with the name of the identified CMK and <keyring-name> with the name of the identified key ring.

  7. If the command returns an error message stating that the key does not exist, then the CMK does not exist. In this case, you can create the CMK using the following command:

    gcloud kms keys create <key-name> --location=global --keyring=<keyring-name> --purpose=<purpose>

    Replace <key-name> with the name of the CMK that you want to create, <keyring-name> with the name of the identified key ring, and <purpose> with the purpose of the CMK (e.g. encryption).

    Note: You need to have the necessary IAM permissions to create a new CMK.

  8. If the command returns the details of the CMK, then the CMK exists and no further action is required.

By following these steps, you can remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using GCP CLI.

Using Python

To remediate the misconfiguration of checking for the existence of specific KMS CMKs in GCP using python, you can follow the below steps:

  1. Import the necessary modules:
from google.cloud import kms_v1
from google.oauth2 import service_account
  1. Set up the credentials for authentication:
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
  1. Create a client object for the Key Management Service:
client = kms_v1.KeyManagementServiceClient(credentials=credentials)
  1. Define the name of the keyring and the key to check for existence:
keyring_name = 'my-keyring'
key_name = 'my-key'
  1. Use the client object to check for the existence of the key:
parent = client.key_ring_path('<project_id>', '<location>', keyring_name)
key_full_name = client.crypto_key_path_path('<project_id>', '<location>', keyring_name, key_name)

try:
    client.get_crypto_key(key_full_name)
    print(f'Key {key_full_name} exists.')
except:
    print(f'Key {key_full_name} does not exist.')

  1. Replace <path_to_service_account_file>, <project_id>, <location>, <keyring_name>, and <key_name> with the appropriate values for your GCP environment.

  2. Run the script to check for the existence of the specified KMS CMKs, and remediate any that do not exist.