- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
It is recommended that the principle of ‘Separation of Duties’ is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role Cloud KMS Admin
allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter
allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter
allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Decrypter
allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user(s) should have Cloud KMS Admin
and any of the Cloud KMS CryptoKey Encrypter/Decrypter
, Cloud KMS CryptoKey Encrypter
, Cloud KMS CryptoKey Decrypter
roles assigned at the same time.
Removed roles should be assigned to another user based on business needs.
Users granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to Cloud KMS Admin
and Cloud KMS CryptoKey Encrypter/Decrypter
. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.
Cloud KMS Admin
and any of the Cloud KMS CryptoKey Encrypter/Decrypter
, Cloud KMS CryptoKey Encrypter
, Cloud KMS CryptoKey Decrypter
roles granted/assigned, click the Delete Bin icon to remove the role from the member.