Skip to content

Google KMS Key

Service Name: Google Cloud Key Management Service

Service Description: Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your cloud services in the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.

Service Address: https://cloud.google.com/security-key-management

Validation Type: API Auth

IP Allow list: IP restrictions can be configured using VPC Service Controls and IAM conditions.

Secret Access Scope: Grants access to encrypt/decrypt data, manage cryptographic keys, and perform cryptographic operations within Google Cloud Platform.

Secret Revokement URL: https://cloud.google.com/kms/docs/rotating-keys

Secret Example: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1

Suspicious Activity Investigation Instructions:

  • Review Cloud Audit Logs for unusual KMS API calls or access patterns.
  • Check for unexpected key usage, especially decrypt operations from unfamiliar IP addresses.
  • Monitor for unauthorized key creation, destruction, or rotation events.
  • Examine IAM policy changes related to KMS resources.
  • Look for unusual access patterns outside normal business hours or from unexpected locations.

Mitigation Instructions:

  • Rotate the compromised key immediately using the Google Cloud Console or KMS API.
  • Update the key's IAM policy to restrict access to trusted principals only.
  • Disable the compromised key version to prevent further usage.
  • Create a new key version to replace the compromised one.
  • Update all applications to use the new key version.
  • Consider implementing automatic key rotation policies.
  • Enable Cloud Audit Logs for KMS operations if not already enabled.
  • Review and update VPC Service Controls to restrict KMS access to trusted networks.