KMS admin and CryptoKey roles in use

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > KMS admin and CryptoKey roles in use

Metadata

Id: 92e4464a-4139-4d57-8742-b5acc0347680

Cloud Provider: GCP

Platform: Terraform

Severity: Medium

Category: Access Control

Learn More

Provider Reference

Description

Assigning both the roles/cloudkms.admin and roles/cloudkms.cryptoKeyDecrypter IAM roles to the same member on a Google Cloud project grants that user full administrative control over Cloud KMS keys and the ability to decrypt data. This combination of permissions allows a single user to manage (create, destroy, and modify) cryptographic keys and decrypt sensitive information, greatly increasing the risk of unauthorized data access or key misuse. To minimize risk, ensure that these roles are assigned to separate members as shown below:

data "google_iam_policy" "secure_example" {
  binding {
    role = "roles/cloudkms.admin"
    members = ["user:jane@example.com"]
  }
  binding {
    role = "roles/cloudkms.cryptoKeyDecrypter"
    members = ["user:jane2@example.com"]
  }
}

Compliant Code Examples

resource "google_project_iam_policy" "negative1" {
  project     = "your-project-id"
  policy_data = data.google_iam_policy.negative1.policy_data
}

data "google_iam_policy" "negative1" {
  binding {
    role = "roles/cloudkms.admin"

    members = [
      "user:jane@example.com",
    ]
  }

  binding {
    role = "roles/cloudkms.cryptoKeyDecrypter"

    members = [
      "user:jane2@example.com",
    ]
  }
}

Non-Compliant Code Examples

resource "google_project_iam_policy" "positive1" {
  project     = "your-project-id"
  policy_data = data.google_iam_policy.positive1.policy_data
}

data "google_iam_policy" "positive1" {
  binding {
    role = "roles/cloudkms.admin"

    members = [
      "user:jane@example.com",
    ]
  }

  binding {
    role = "roles/cloudkms.cryptoKeyDecrypter"

    members = [
      "user:jane@example.com",
    ]
  }
}