How to resolve Sprinto check to ensure GCP KMS crypto keys are not anonymously or publicly accessible
About:
Sprinto check: Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
The above-mentioned Sprinto check in Sprinto verifies that no Cloud KMS (Key Management Service) cryptokeys on Google Cloud Platform (GCP) are anonymously or publicly accessible.
Purpose:
The purpose of this check is to enforce strict access controls for Cloud KMS cryptokeys, which are used for encryption and decryption operations. Allowing anonymous or public access to cryptokeys can lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of encrypted data.
How to fix this check:
Follow the below steps to resolve the check:
Before you begin
Ensure you have administrator privileges on the GCP account where you want to make configuration changes.
Updating via GCP Cloud CLI
Log in to the GCP Console using your credentials.
Click on the Activate Cloud Shell option at the top.
List all Cloud KMS Cryptokeys.
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' –role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] -- keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
Note: By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.
Contact Sprinto support if you have any queries related to the check or need assistance.