Google KMS Key
Service Name: Google Cloud Key Management Service
Service Description: Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your cloud services in the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.
Service Address: https://cloud.google.com/security-key-management
Validation Type: API Auth
IP Allow list: IP restrictions can be configured using VPC Service Controls and IAM conditions.
Secret Access Scope: Grants access to encrypt/decrypt data, manage cryptographic keys, and perform cryptographic operations within Google Cloud Platform.
Secret Revokement URL: https://cloud.google.com/kms/docs/rotating-keys
Secret Example: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1
Suspicious Activity Investigation Instructions:
- Review Cloud Audit Logs for unusual KMS API calls or access patterns.
- Check for unexpected key usage, especially decrypt operations from unfamiliar IP addresses.
- Monitor for unauthorized key creation, destruction, or rotation events.
- Examine IAM policy changes related to KMS resources.
- Look for unusual access patterns outside normal business hours or from unexpected locations.
Mitigation Instructions:
- Rotate the compromised key immediately using the Google Cloud Console or KMS API.
- Update the key's IAM policy to restrict access to trusted principals only.
- Disable the compromised key version to prevent further usage.
- Create a new key version to replace the compromised one.
- Update all applications to use the new key version.
- Consider implementing automatic key rotation policies.
- Enable Cloud Audit Logs for KMS operations if not already enabled.
- Review and update VPC Service Controls to restrict KMS access to trusted networks.