gcloud-kms-public-access: Publicly Accessible Google Cloud KMS Keys

日期: 2025-08-01 | 影响软件: gcloud kms public access | POC: 已公开

漏洞描述

Ensure that the IAM policy associated with your Google Cloud Key Management Service (KMS) keys restricts anonymous and/or public access. The KMS cryptographic keys are controlled by Cloud IAM policies, which should not include bindings for "allUsers" and "allAuthenticatedUsers" to prevent public internet access.

PoC代码[已公开]

id: gcloud-kms-public-access

info:
  name: Publicly Accessible Google Cloud KMS Keys
  author: princechaddha
  severity: high
  description: |
    Ensure that the IAM policy associated with your Google Cloud Key Management Service (KMS) keys restricts anonymous and/or public access. The KMS cryptographic keys are controlled by Cloud IAM policies, which should not include bindings for "allUsers" and "allAuthenticatedUsers" to prevent public internet access.
  impact: |
    If a KMS key is accessible to "allUsers" or "allAuthenticatedUsers", it means any internet user can access this cryptographic resource, potentially leading to unauthorized data access or manipulation.
  remediation: |
    Update the IAM policy for your KMS keys by removing any bindings that include "allUsers" or "allAuthenticatedUsers" to restrict access to authenticated and authorized users only.
  reference:
    - https://cloud.google.com/kms/docs/restricting-access
  tags: cloud,devops,gcp,gcloud,google-kms,gcp-cloud-config

flow: |
  code(1)
  for(let keyRing of iterate(template.keyRings)){
    set("keyRing", keyRing)
    code(2)
    for(let key of iterate(template.keys)){
      set("keyName", key)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud kms keyrings list --location=global --format="json(name)"

    extractors:
      - type: json
        name: keyRings
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud kms keys list --keyring=$keyRing --location=global --format="json(name)"

    extractors:
      - type: json
        name: keys
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud kms keys get-iam-policy $keyName --keyring=$keyRing --location=global --format="json"

    matchers:
      - type: word
        words:
          - "allUsers"
          - "allAuthenticatedUsers"
        condition: or

    extractors:
      - type: dsl
        dsl:
          - '"Public Access found in KMS Key: " + keyName + ", KeyRing: " + keyRing + ", Location: Global"'
# digest: 4a0a0047304502200402be881c65a286a9279a473cd5998ed03b59d7bc7b293fbcc7f066d97086a2022100890f44b29b1aa33d0c86d0403639c36d6da4fb6aa427a2fe9f26af3e6f42ef34:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/kms/gcloud-kms-public-access.yaml