# How to resolve Sprinto check to ensure GCP KMS crypto keys are not anonymously or publicly accessible

### About:

Sprinto check: Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

The above-mentioned Sprinto check in Sprinto verifies that no Cloud KMS (Key Management Service) cryptokeys on Google Cloud Platform (GCP) are anonymously or publicly accessible.

### Purpose:

The purpose of this check is to enforce strict access controls for Cloud KMS cryptokeys, which are used for encryption and decryption operations. Allowing anonymous or public access to cryptokeys can lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of encrypted data.

### How to fix this check:

Follow the below steps to resolve the check:

#### Before you begin

* Ensure you have administrator privileges on the GCP account where you want to make configuration changes.

#### Updating via GCP Cloud CLI

1. Log in to the [GCP Console](https://www.google.com/aclk?sa=l\&ai=DChcSEwjYmd2CiZ6GAxUqLIMDHX1UAfkYABAAGgJzZg\&ase=2\&gclid=Cj0KCQjw6auyBhDzARIsALIo6v8a4FI-x12LRVjGWHNBGptmX3i0kbcLnB3kXrWgHKx90qrK11xvQAsaAtl_EALw_wcB\&sig=AOD64_3Gmzi8N63mvfFy-YhRTybtDlQKRw\&q\&nis=4\&adurl\&ved=2ahUKEwiQv9aCiZ6GAxWOxzgGHepdA6YQ0Qx6BAgGEAE) using your credentials.
2. Click on the Activate Cloud Shell option at the top.

   <figure><img src="https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/72098764847/original/2zDbCcjx6KS7OQHiOGRiZ0h6jfUrPznouQ.png?1716276939" alt=""><figcaption></figcaption></figure>
3. List all Cloud KMS Cryptokeys.

   ```
   gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
   ```
4. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

   ```
   gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' –
   ```

   ```
   role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] -- keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
   ```

Note: By default Cloud KMS does not allow access to **allUsers** or **allAuthenticatedUsers**.

Contact [Sprinto support](mailto:www.support@sprinto.com) if you have any queries related to the check or need assistance.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/monitors/encryption-and-backup-monitoring/how-to-resolve-sprinto-check-to-ensure-gcp-kms-crypto-keys-are-not-anonymously-or-publicly-accessibl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.