KMS keys should not be anonymously or publicly accessible


IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access. Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset, which is not desirable if sensitive data is stored at the location.

Remediation Steps

Google Cloud Console

You cannot restrict anonymous and/or public access for Cloud KMNS cryptokeys via the console.

gcloud CLI

  • List all the Cloud KMS cryptokeys:

    • gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'

  • Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers:

gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'