How to resolve Sprinto check to ensure GCP KMS crypto keys are not anonymously or publicly accessible

About:

Sprinto check: Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

The above-mentioned Sprinto check in Sprinto verifies that no Cloud KMS (Key Management Service) cryptokeys on Google Cloud Platform (GCP) are anonymously or publicly accessible.

Purpose:

The purpose of this check is to enforce strict access controls for Cloud KMS cryptokeys, which are used for encryption and decryption operations. Allowing anonymous or public access to cryptokeys can lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of encrypted data.

How to fix this check:

Follow the below steps to resolve the check:

Before you begin

• Ensure you have administrator privileges on the GCP account where you want to make configuration changes.

Updating via GCP Cloud CLI

1. Log in to the GCP Console using your credentials.

2. Click on the Activate Cloud Shell option at the top.

   
3. List all Cloud KMS Cryptokeys.

   Copy

   gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

4. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.

   Copy

   gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' –

   Copy

   role='[role]' gcloud kms keys remove-iam-policy-binding [key_name] -- keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'

Note: By default Cloud KMS does not allow access to allUsers or allAuthenticatedUsers.

Contact Sprinto support if you have any queries related to the check or need assistance.