GCP IAM User Have Overly Permissive Cloud KMS Roles

This policy identifies IAM users who have overly permissive Cloud KMS roles. Built-in/Predefined IAM role Cloud KMS Admin allows the user to create, delete, and manage service accounts. Built-in/Predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user to encrypt and decrypt data at rest using the encryption keys. It is recommended to follow the principle of 'Separation of Duties' ensuring that one individual does not have all the necessary permissions to be able to complete a malicious action.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP IAM user have overly permissive Cloud KMS roles.
JSON Query:
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/cloudkms.admin')].member startsWith "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/cloudkms.admin')].members any start with "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/cloudkms.admin' )].members any start with "user:"
Recommendation:
Recommended solution to ensure that GCP IAM User doesn't have overly permissive Cloud KMS roles.
Ensure that GCP IAM User doesn't have overly permissive Cloud KMS roles. Please make sure that in the template "members" doesn't start with "user:" when the "role" is "roles/cloudkms.admin".
For example:
"google_iam_policy": [ { "<iam_policy_name>": [ { "binding": [ { "members": ["admin:c@d.com"], "role": "roles/cloudkms.admin" } ] } ] }

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to IAM & Admin (Left Panel).
  3. Select IAM.
  4. From the list of users, choose the reported IAM user.
  5. Click on Edit permissions pencil icon.
  6. For member having 'Cloud KMS Admin' and any of the 'Cloud KMS CryptoKey Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter', 'Cloud KMS CryptoKey Decrypter' or any CryptoKey roles granted/assigned, Click on the Delete Bin icon to remove the role from a member.

Compliance

There are 5 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.0.0 (GCP)
  • ISO 27001:2013
  • PIPEDA
  • CCPA 2018

Recommended For You