Skip to main content

Cloud KMS Key IAM Policy Modified

This alert occurs when Lacework detects the IAM (Identity and Access Management) policy for a cloud KMS (Key Management Service) key was updated or modified.

Cloud KMS is a service that allows you to create, use, and manage cryptographic keys for securing data in the cloud. IAM policies control who has access to cloud KMS keys and what actions they can perform with those keys. When an IAM policy is modified for a cloud KMS key, it can affect the level of access that users and services have to the key.

Related policy: LW_AT_IAM_178: Cloud KMS IAM Policy Modified

Why this alert is important

Cloud KMS keys are used to protect sensitive data and resources in the cloud. Any unauthorized access or modification to the IAM policy for a cloud KMS key can compromise the security of your data. By detecting this incident, you can quickly identify potential security breaches and take appropriate action to mitigate the risk.

Investigation

If you suspect a malicious modification of a cloud KMS key IAM policy, investigate the issue promptly to determine the cause and mitigate any potential damage. Follow these steps to investigate the alert:

  1. Check the Audit Logs for unusual activity or changes that are outside the normal pattern. Check the identity of the user who made the modification and compare it to the authorized users and administrators.
  2. Use the IAM policy history to review all the changes made to the policy, including the time and the user who made the change.
  3. Review other logs and metrics in Google Cloud, such as cloud storage access logs or VPC flow logs, to determine if there has been any unauthorized access or unusual activity associated with the cloud KMS key.

Resolution

Use the following steps to resolve an unauthorized modification of a cloud KMS key IAM policy:

  1. Immediately revoke access to the cloud KMS key for the user who made the unauthorized modification.
  2. If you have a backup of the original IAM policy for the cloud KMS key, restore it. This will ensure that the key is secured with the proper IAM policy and that authorized users and services can continue to access it.
  3. Investigate the incident to determine how the unauthorized modification occurred and identify any vulnerabilities or weaknesses in your security controls.
  4. Implement additional security measures to prevent similar incidents from occurring in the future. This may include enabling two-factor authentication, monitoring access to the key more closely, or implementing stricter IAM policies.
  5. Depending on the severity of the incident, you may need to report it to your security team or the appropriate authorities. This will help you comply with any regulatory requirements and ensure appropriate action is taken to prevent similar incidents in the future.