Cloud KMS key ring is anonymously or publicly accessible

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: terraform-gcp-cloud-kms-key-rings-are-public

Cloud Provider: GCP

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Description

Cloud KMS Key Rings store and manage cryptographic keys used for data encryption in Google Cloud. Making them publicly accessible creates severe security risks that could lead to unauthorized access to sensitive encrypted data. When IAM policies grant permissions to allUsers or allAuthenticatedUsers, it allows anyone on the internet or any authenticated Google account to access and potentially use these cryptographic keys. To properly secure key rings, ensure IAM members are specific identities (such as user:someone@example.com) rather than public principals (allUsers or allAuthenticatedUsers). For example, use member = "user:someone@example.com" instead of member = "allUsers" or members = ["allAuthenticatedUsers", "user:someone@example.com"].

Compliant Code Examples

# IAM Binding compliant
resource "google_kms_key_ring_iam_binding" "good_example_binding" {
  key_ring_id = "example-key-ring"
  members     = ["user:someone@example.com", "group:admins@example.com"] # ✅ No public principals
  role        = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}

# IAM Member compliant
resource "google_kms_key_ring_iam_member" "good_example_member" {
  key_ring_id = "example-key-ring"
  member      = "user:someone@example.com" # ✅ Non-public principal
  role        = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}

Non-Compliant Code Examples

# IAM Member violation
resource "google_kms_key_ring_iam_member" "bad_example_member" {
  key_ring_id = "example-key-ring"
  member      = "allUsers" # ❌ Public principal
  role        = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}

# IAM Binding violation
resource "google_kms_key_ring_iam_binding" "bad_example_binding" {
  key_ring_id = "example-key-ring"
  members     = ["allAuthenticatedUsers", "user:someone@example.com"] # ❌ Contains public principal
  role        = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}