Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
General – Deny Public Access to KMS Keys
Secure Configuration Checks > GCP
Ensure Cloud KMS cryptokeys are not publicly accessible to prevent unauthorized use.
Check Details
- Entity Type: Integration
- Check: Deny Public Access to KMS Keys
- Risk: Publicly accessible KMS keys can be misused by unauthorized users, leading to potential data exposure and compromise.
Remediation via Google Cloud CLI
-
List all Cloud KMS cryptokeys:
gcloud kms keys list \ --keyring=[KEY_RING_NAME] \ --location=global \ --format=json | jq '.[].name'
-
Remove IAM policy binding to revoke access from allAuthenticatedUsers:
gcloud kms keys remove-iam-policy-binding [KEY_NAME] \ --keyring=[KEY_RING_NAME] \ --location=global \ --member="allAuthenticatedUsers" \ --role="[ROLE]"
-
Remove IAM policy binding to revoke access from allUsers:
gcloud kms keys remove-iam-policy-binding [KEY_NAME] \ --keyring=[KEY_RING_NAME] \ --location=global \ --member="allUsers" \ --role="[ROLE]"
Default Value
By default, Cloud KMS does not allow access to
allUsers or allAuthenticatedUsers.
Updated on 16 April, 2026