KMS Admin and CryptoKey Roles In Use

  • Query id: 92e4464a-4139-4d57-8742-b5acc0347680
  • Query name: KMS Admin and CryptoKey Roles In Use
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_project_iam_policy" "positive1" {
  project     = "your-project-id"
  policy_data = data.google_iam_policy.positive1.policy_data
}

data "google_iam_policy" "positive1" {
  binding {
    role = "roles/cloudkms.admin"

    members = [
      "user:jane@example.com",
    ]
  }

  binding {
    role = "roles/cloudkms.cryptoKeyDecrypter"

    members = [
      "user:jane@example.com",
    ]
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_project_iam_policy" "negative1" {
  project     = "your-project-id"
  policy_data = data.google_iam_policy.negative1.policy_data
}

data "google_iam_policy" "negative1" {
  binding {
    role = "roles/cloudkms.admin"

    members = [
      "user:jane@example.com",
    ]
  }

  binding {
    role = "roles/cloudkms.cryptoKeyDecrypter"

    members = [
      "user:jane2@example.com",
    ]
  }
}