admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-01-31 15:53:33 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
nuclei-templates/cloud/gcp/iam/gcloud-iam-unrestricted-decryption.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

57 lines
2.4 KiB
YAML
Raw Permalink Blame History

id: gcloud-iam-unrestricted-decryption
info:
name: IAM Users with Unrestricted Data Decryption Permissions
author: princechaddha
severity: medium
description: |
Ensure that IAM users with data decryption permissions should use conditions to enforce strict controls, enhancing data protection and reducing risks of unauthorized decryption. For compliance, the Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter), Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator), and Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) roles must have a condition preventing data decryption with any KMS key.
impact: |
Without conditions on decryption permissions, IAM users can decrypt data using any KMS key in the project, potentially leading to unauthorized access to sensitive data.
remediation: |
Add IAM conditions to roles that allow decryption operations, restricting access to specific KMS keys. This can be done using resource.type and resource.name conditions in the IAM policy.
reference:
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/IAM/decryption-with-all-keys-not-allowed.html
- https://cloud.google.com/kms/docs/reference/permissions-and-roles
tags: cloud,devops,gcp,gcloud,iam,security,encryption,kms,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud projects get-iam-policy $projectId --format="json(bindings[?(@.role=='roles/cloudkms.cryptoKeyDecrypter' || @.role=='roles/cloudkms.cryptoOperator' || @.role=='roles/cloudkms.cryptoKeyEncrypterDecrypter')])"
matchers:
- type: word
words:
- '"condition":'
negative: true
extractors:
- type: dsl
dsl:
- '"Project " + projectId + " has IAM users with unrestricted decryption permissions that can access all KMS keys"'
# digest: 490a00463044022012b07c04fff07c91b88ee8cd99e7411c0e7d79981f997ef24f1673f40235e490022055de031c4e4baf88803b9dbe0bc30fe24c5edbf8c3d04fe0f8ff3bce3b68316e:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink