IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles. Affecting IAM service in Google

Snyk CCSS

IAM / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00467
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles. No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.

How to fix?

IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles.

Example Configuration

resource "google_project_iam_member" "kms_admin" {
  project = "test"
  role    = "roles/cloudkms.admin"
  member  = "user:user@test.com"
}

resource "google_project_iam_member" "encrypter_decrypter" {
  project = "test"
  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member  = "user:user@test.com"
}

resource "google_project_iam_member" "encrypter" {
  project = "test"
  role    = "roles/cloudkms.cryptoKeyEncrypter"
  member  = "user:user@test.com"
}

resource "google_project_iam_member" "decrypter" {
  project = "test"
  role    = "roles/cloudkms.cryptoKeyDecrypter"
  member  = "user:user@test.com"
}

Terraform

google_project_IAM policy for projects

References

Permissions and Roles for CloudKMS in Google