chore(gcp): enhance metadata for kms service (#9647)

Co-authored-by: HugoPBrito <hugopbrit@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
2026-03-22 03:08:23 +00:00 · 2026-02-13 16:32:26 +01:00
parent 006c2dc754
commit ddc5d879e0
3 changed files with 31 additions and 21 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -34,6 +34,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update GCP GCR service metadata to new format [(#9644)](https://github.com/prowler-cloud/prowler/pull/9644)
 - Update GCP GKE service metadata to new format [(#9645)](https://github.com/prowler-cloud/prowler/pull/9645)
 - Update GCP IAM service metadata to new format [(#9646)](https://github.com/prowler-cloud/prowler/pull/9646)
+- Update GCP KMS service metadata to new format [(#9647)](https://github.com/prowler-cloud/prowler/pull/9647)

 ### 🔐 Security

--- a/prowler/providers/gcp/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.metadata.json
+++ b/prowler/providers/gcp/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.metadata.json
@@ -1,31 +1,35 @@
 {
  "Provider": "gcp",
  "CheckID": "kms_key_not_publicly_accessible",
-  "CheckTitle": "Check for Publicly Accessible Cloud KMS Keys",
+  "CheckTitle": "Cloud KMS key has no public IAM access",
  "CheckType": [],
  "ServiceName": "kms",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "CryptoKey",
-  "ResourceGroup": "security",
-  "Description": "Check for Publicly Accessible Cloud KMS Keys",
-  "Risk": "Ensure that the IAM policy associated with your Cloud Key Management Service (KMS) keys is restricting anonymous and/or public access",
+  "ResourceType": "cloudkms.googleapis.com/CryptoKey",
+  "Description": "**Cloud KMS crypto keys** are evaluated for **public principals** in their IAM bindings, specifically `allUsers` and `allAuthenticatedUsers`.\n\nThe finding reflects whether these memberships are present on a key.",
+  "Risk": "Granting **public principals** access lets anyone on the Internet or any Google account use permissions on the key.\n- **Confidentiality** loss via unauthorized `decrypt`\n- **Integrity** compromise via illicit `sign`\n- **Availability** impact from disable, rotation, or destruction",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudKMS/publicly-accessible-kms-cryptokeys.html",
+    "https://cloud.google.com/kms/docs/iam"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudKMS/publicly-accessible-kms-cryptokeys.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/ensure-that-cloud-kms-cryptokeys-are-not-anonymously-or-publicly-accessible#terraform"
+      "Other": "1. In Google Cloud Console, go to Security > Key Management > Key rings\n2. Open the key ring, then select the affected key\n3. Click the Permissions tab\n4. Remove principals \"allUsers\" and \"allAuthenticatedUsers\" from all roles\n5. Click Save",
+      "Terraform": "```hcl\n# Replace the IAM policy on the KMS key to remove any public members\nresource \"google_kms_crypto_key_iam_policy\" \"<example_resource_name>\" {\n  crypto_key_id = \"<example_resource_id>\"\n  \n  policy_data = jsonencode({\n    bindings = [] # Critical: empty bindings remove all IAM principals, eliminating allUsers/allAuthenticatedUsers\n  })\n}\n```"
    },
    "Recommendation": {
-      "Text": "To deny access from anonymous and public users, remove the bindings for 'allUsers' and 'allAuthenticatedUsers' members from the KMS key's IAM policy.",
-      "Url": "https://cloud.google.com/kms/docs/iam"
+      "Text": "Remove `allUsers` and `allAuthenticatedUsers` from key IAM. Grant access only to specific groups or service accounts with **least privilege** at the key scope. Enforce **separation of duties** between admins and users, and regularly review inherited bindings and audit logs.",
+      "Url": "https://hub.prowler.com/check/kms_key_not_publicly_accessible"
    }
  },
  "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/gcp/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json
+++ b/prowler/providers/gcp/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "gcp",
  "CheckID": "kms_key_rotation_enabled",
-  "CheckTitle": "Ensure KMS keys are rotated within a period of 90 days",
+  "CheckTitle": "KMS key is rotated at least annually",
  "CheckType": [],
  "ServiceName": "kms",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "low",
-  "ResourceType": "CryptoKey",
-  "ResourceGroup": "security",
-  "Description": "Ensure KMS keys are rotated within a period of 90 days",
-  "Risk": "Ensure that all your Cloud Key Management Service (KMS) keys are rotated within a period of 90 days in order to meet security and compliance requirements",
+  "ResourceType": "cloudkms.googleapis.com/CryptoKey",
+  "Description": "Google Cloud KMS customer-managed keys have **automatic rotation** enabled or a rotation interval  `365` days.\n\nThe evaluation reviews each key's rotation settings to confirm periodic creation of new key versions.",
+  "Risk": "Without timely rotation, a stolen key can decrypt an expanding volume of data, eroding **confidentiality**. Prolonged key lifetimes widen windows for misuse, impact **integrity** of protected workloads, and make emergency rollover harder, risking **availability** disruptions.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudKMS/rotate-kms-encryption-keys.html",
+    "https://cloud.google.com/iam/docs/manage-access-service-accounts"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "gcloud kms keys update new --keyring=<KEY_RING> --location=<LOCATION> --nextrotation-time=<NEXT_ROTATION_TIME> --rotation-period=<ROTATION_PERIOD>",
+      "CLI": "gcloud kms keys update <KEY_NAME> --keyring=<KEY_RING> --location=<LOCATION> --rotation-period=365d --next-rotation-time=<RFC3339_TIME>",
      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudKMS/rotate-kms-encryption-keys.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/bc_gcp_general_4#terraform"
+      "Other": "1. In Google Cloud Console, go to Security > Key Management > Key rings\n2. Open the key ring and select the key\n3. Click Edit rotation schedule (or Set rotation schedule)\n4. Set Rotation period to 365 days or less\n5. Set Next rotation date/time\n6. Click Save",
+      "Terraform": "```hcl\nresource \"google_kms_crypto_key\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  key_ring = \"<example_resource_id>\"\n  purpose  = \"ENCRYPT_DECRYPT\"\n\n  rotation_period = \"31536000s\" # Critical: sets automatic rotation to 365 days (<= 365 ensures PASS)\n}\n```"
    },
    "Recommendation": {
-      "Text": "After a successful key rotation, the older key version is required in order to decrypt the data encrypted by that previous key version.",
-      "Url": "https://cloud.google.com/iam/docs/manage-access-service-accounts"
+      "Text": "Enable **auto-rotation** for customer-managed keys with an interval  `365` days.\n\nAdopt a **key lifecycle** policy: enforce **least privilege** on key usage, apply **separation of duties** between key admins and users, monitor key access, and rehearse emergency rotation to minimize blast radius.",
+      "Url": "https://hub.prowler.com/check/kms_key_rotation_enabled"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""