CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00467
- creditSnyk Research Team
Description
IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles. No user should have both KMS admin and encrypter/decrypter roles because they could create a key then immediately use it to encrypt/decrypt data. Separation of duties ensures that no one individual has all necessary permissions to complete a malicious action.
How to fix?
IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles.
Example Configuration
resource "google_project_iam_member" "kms_admin" {
project = "test"
role = "roles/cloudkms.admin"
member = "user:user@test.com"
}
resource "google_project_iam_member" "encrypter_decrypter" {
project = "test"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "user:user@test.com"
}
resource "google_project_iam_member" "encrypter" {
project = "test"
role = "roles/cloudkms.cryptoKeyEncrypter"
member = "user:user@test.com"
}
resource "google_project_iam_member" "decrypter" {
project = "test"
role = "roles/cloudkms.cryptoKeyDecrypter"
member = "user:user@test.com"
}