KMS keys should not be anonymously or publicly accessible¶
Description¶
IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access. Granting permissions to allUsers
or allAuthenticatedUsers
allows anyone to access the dataset, which is not desirable if sensitive data is stored at the location.
Remediation Steps¶
Google Cloud Console¶
You cannot restrict anonymous and/or public access for Cloud KMNS cryptokeys via the console.
gcloud CLI¶
List all the Cloud KMS cryptokeys:
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
Remove IAM policy binding for a KMS key to remove access to
allUsers
andallAuthenticatedUsers
:
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'