Severity Framework
Snyk CCSS
Rule category
IAM / Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00467
- credit Snyk Research Team
Description
IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles. No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.
How to fix?
IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles.
Example Configuration
resource "google_project_iam_member" "kms_admin" {
project = "test"
role = "roles/cloudkms.admin"
member = "user:user@test.com"
}
resource "google_project_iam_member" "encrypter_decrypter" {
project = "test"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "user:user@test.com"
}
resource "google_project_iam_member" "encrypter" {
project = "test"
role = "roles/cloudkms.cryptoKeyEncrypter"
member = "user:user@test.com"
}
resource "google_project_iam_member" "decrypter" {
project = "test"
role = "roles/cloudkms.cryptoKeyDecrypter"
member = "user:user@test.com"
}