Google Cloud Platform Security Checklist : Part 2/7 — Key Management Service (KMS)
Welcome to the second article in our series on Google Cloud Platform (GCP) security best practices. As a Cloud Architect, I have developed a comprehensive set of guidelines to help you safeguard your GCP environments effectively. In this article, we will delve into the Key Management Service (KMS), a vital component of GCP security.
But first let’s start with the fundamentals.
Definition
Identity and Access Management (IAM) in Google Cloud Platform (GCP) is a service that helps you manage access control by defining who (identity) has what access (role) to which resources within your GCP projects. With IAM, you can ensure that only authorized users, groups, and service accounts have access to specific resources and services, thus improving the security and governance of your cloud infrastructure.
Best Practices Checklist
1. Enable key rotation
Periodically rotate your encryption keys to minimize the risk associated with compromised keys. Set an automatic rotation schedule in KMS to handle this process consistently and help ensure that old keys are no longer used.
Detection Policy: Here’s a Cloud Custodian rule to identify keys without a specified rotation date:
policies:
- name: detect-kms-key-no-rotation
resource: gcp.kms-cryptokey
filters:
- type: value
key: nextRotationTime
op: eq
value: null2. Implement least privilege access
Grant minimal necessary permissions to users and service accounts for managing and using KMS keys. Use IAM roles and policies to restrict access, and apply the principle of least privilege to minimize potential risks.
Detection Policy: Here’s a Cloud Custodian rule to identify keys accessible for public or basic roles.
policies:
- name: detect-kms-excessive-permissions
resource: gcp.kms-cryptokey
filters:
- type: iam-policy
doc:
key: "bindings[*].role"
op: in
value: ["roles/editor", "roles/owner","allUsers", "allAuthenticatedUsers"]3. Monitor and audit key usage
It’s important to monitor and audit KMS key usage and access patterns using Audit logs. Set up alerts for any suspicious activity or policy violations to proactively address potential threats.
Detection Policy: Here’s a Cloud Custodian rule to detect key deletion and notify.
policies:
- name: gcp-kms-cryptokey-audit-creation
resource: gcp.kms-cryptokey
mode:
type: gcp-audit
methods:
- DeleteCryptoKey
actions:
- type: notify
to:
- email@email
format: json
transport:
type: pubsub
topic: projects/my-gcp-project/topics/my-topic4. Centralize Key Management
Consolidate all encryption keys in a single project managed by your security team to better control access, streamline key management, and improve auditing capabilities. This approach reduces the risk of unauthorized access and simplifies the overall administration of your cryptographic keys.
Detection Policy: Here’s a Cloud Custodian rule to detect keys created outside target project.
policies:
- name: detect-kms-keys-outside-target-project
resource: gcp.kms-cryptokey
filters:
- type: value
key: primary.name
op: regex
value: ^projects\/project_id\/.*Conclusion
By following the recommendations provided in this article, including using Customer-Managed Encryption Keys (CMEK), enabling key rotation, implementing least privilege access, and centralizing key management in a dedicated project, you can significantly enhance the security of your GCP infrastructure.
We have also provided Cloud Custodian policies for each recommendation to help you detect non-compliant resources and address potential threats. These policies can be customized to suit your organization’s requirements and further bolster your security posture.
As we continue our series on GCP security best practices, we will delve into other essential aspects of GCP security, such as Cloud Storage, Network Security, Compute Engine, and more.
Originally published at https://hassene.belgacem.io .
