KMS Admin and CryptoKey Roles In Use
- Query id: 92e4464a-4139-4d57-8742-b5acc0347680
- Query name: KMS Admin and CryptoKey Roles In Use
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "google_project_iam_policy" "positive1" {
project = "your-project-id"
policy_data = data.google_iam_policy.positive1.policy_data
}
data "google_iam_policy" "positive1" {
binding {
role = "roles/cloudkms.admin"
members = [
"user:jane@example.com",
]
}
binding {
role = "roles/cloudkms.cryptoKeyDecrypter"
members = [
"user:jane@example.com",
]
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_project_iam_policy" "negative1" {
project = "your-project-id"
policy_data = data.google_iam_policy.negative1.policy_data
}
data "google_iam_policy" "negative1" {
binding {
role = "roles/cloudkms.admin"
members = [
"user:jane@example.com",
]
}
binding {
role = "roles/cloudkms.cryptoKeyDecrypter"
members = [
"user:jane2@example.com",
]
}
}