Publicly Accessible Google Cloud KMS Keys
ID: gcloud-kms-public-access
Severity: high
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,google-kms,gcp-cloud-config
Description
Section titled “Description”Ensure that the IAM policy associated with your Google Cloud Key Management Service (KMS) keys restricts anonymous and/or public access. The KMS cryptographic keys are controlled by Cloud IAM policies, which should not include bindings for “allUsers” and “allAuthenticatedUsers” to prevent public internet access.
YAML Source
Section titled “YAML Source”id: gcloud-kms-public-access
info: name: Publicly Accessible Google Cloud KMS Keys author: princechaddha severity: high description: | Ensure that the IAM policy associated with your Google Cloud Key Management Service (KMS) keys restricts anonymous and/or public access. The KMS cryptographic keys are controlled by Cloud IAM policies, which should not include bindings for "allUsers" and "allAuthenticatedUsers" to prevent public internet access. impact: | If a KMS key is accessible to "allUsers" or "allAuthenticatedUsers", it means any internet user can access this cryptographic resource, potentially leading to unauthorized data access or manipulation. remediation: | Update the IAM policy for your KMS keys by removing any bindings that include "allUsers" or "allAuthenticatedUsers" to restrict access to authenticated and authorized users only. reference: - https://cloud.google.com/kms/docs/restricting-access tags: cloud,devops,gcp,gcloud,google-kms,gcp-cloud-config
flow: | code(1) for(let keyRing of iterate(template.keyRings)){ set("keyRing", keyRing) code(2) for(let key of iterate(template.keys)){ set("keyName", key) code(3) } }
self-contained: true
code: - engine: - sh - bash source: | gcloud kms keyrings list --location=global --format="json(name)"
extractors: - type: json name: keyRings internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud kms keys list --keyring=$keyRing --location=global --format="json(name)"
extractors: - type: json name: keys internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud kms keys get-iam-policy $keyName --keyring=$keyRing --location=global --format="json"
matchers: - type: word words: - "allUsers" - "allAuthenticatedUsers" condition: or
extractors: - type: dsl dsl: - '"Public Access found in KMS Key: " + keyName + ", KeyRing: " + keyRing + ", Location: Global"'# digest: 4a0a0047304502200402be881c65a286a9279a473cd5998ed03b59d7bc7b293fbcc7f066d97086a2022100890f44b29b1aa33d0c86d0403639c36d6da4fb6aa427a2fe9f26af3e6f42ef34:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/kms/gcloud-kms-public-access.yaml"