Skip to main content

New Cloud KMS Key Created

This alert occurs when Lacework detects a new cloud Key Management Service (KMS) key was created.

When a new KMS key is created, Google Cloud generates a new key material and associates it with the KMS key. The KMS key can be used to encrypt and decrypt data stored in other Google Cloud services, such as Cloud Storage, BigQuery, or Compute Engine.

Related policy: LW_AT_RESOURCE_173: Cloud Storage Bucket Created

Why this alert is important

KMS keys are used to encrypt and decrypt sensitive data in Google Cloud. Detecting a new KMS key can help you ensure that the key was created for legitimate purposes and that it is being used appropriately.

Investigation

Investigating a malicious new cloud KMS key requires a thorough analysis of the security logs and configuration settings associated with the key. Follow these steps to investigate the alert:

  1. Check the Audit Logs to determine who created the key and when. Look for any suspicious activity, such as multiple keys created by a single user or a key created outside of normal business hours.
  2. Look at the usage of the key to see if it has been used to encrypt or decrypt data. Check the logs to see what data was accessed.
  3. Review the permissions associated with the key to see who can access it. Ensure that the permissions are limited to only those who require access.
  4. Check if the key was rotated recently or if it is due for rotation. If the key was not rotated recently, consider rotating it to prevent further malicious activity.
  5. Check the network traffic associated with the key to see if any suspicious traffic has been detected. Review any alerts or logs related to the key in your security information and event management (SIEM) system or intrusion detection system (IDS).
  6. If you find any anomalies in the logs or activity associated with the key, investigate them further to determine the cause.

Resolution

If you have determined that a new KMS key is malicious, take immediate action to resolve the issue, including:

  1. Revoke the key to prevent further use. You can do this by disabling the key in the Cloud KMS console.
  2. Rotate any affected keys if the malicious key was used to encrypt or decrypt data. This will ensure that any data encrypted with the compromised key cannot be accessed using a new key.
  3. Determine how the malicious key was created in the first place. Identify any vulnerabilities that may have been exploited and take steps to remediate them. This may involve analyzing access logs, reviewing permissions, or looking at network traffic.
  4. Review the access controls for your Cloud KMS keys to ensure only authorized personnel have access. Consider implementing additional security measures, such as multi-factor authentication or IP restrictions.
  5. Monitor your Cloud KMS keys and associated activity to identify future threats. Implement a robust security monitoring program that includes real-time alerts, SIEM integration, and regular audits.