Skip to main content

New Cloud KMS Key Ring Created

This alert occurs when Lacework detects a new key ring was created in the cloud Key Management Service (KMS).

A key ring is a logical container for keys in cloud KMS, and it can be used to organize and manage keys based on their purpose or usage.

Related policy: LW_AT_RESOURCE_175: Cloud KMS Key Ring Created

Why this alert is important

This alert indicates that a new cryptographic key has been generated, which can be used to secure data and access resources. Detecting new key rings helps organizations monitor and control access to sensitive data and resources, ensuring that only authorized users can access critical systems and information.

Investigation

Investigating a malicious new cloud KMS key ring in GCP requires a thorough and systematic approach to identify the root cause of the issue and mitigate any potential damage. Follow these steps to investigate the alert:

  1. Gather information, including the date and time the new key ring was created, who created it, the list of users with access to it, and any recent changes made.
  2. Identify the extent of the damage caused by the malicious key ring. Check if any sensitive data or resources have been accessed or compromised.
  3. Review the logs for any suspicious activity related to the key ring, such as changes to permissions, access attempts, or unauthorized usage.
  4. Check the activity of the users who have access to the key ring. Verify that they have legitimate reasons for accessing the key ring and investigate any unusual activity.
  5. Remove access to the key ring for all users until the investigation is complete. You can also temporarily disable the key ring to prevent any further damage.
  6. Notify any affected parties, such as users whose data may have been exposed, and follow any required reporting procedures.

Resolution

If you have identified an unauthorized new cloud KMS key ring, follow these steps to resolve the issue:

  1. Delete the unauthorized key ring, restore any affected data or resources, and implement additional security controls to prevent similar incidents in the future.
  2. If sensitive data was exposed or compromised, notify affected parties and follow the required reporting procedures.
  3. Review your organization's security practices and policies to identify any vulnerabilities that may have contributed to the unauthorized key ring's creation. Consider implementing additional security measures such as two-factor authentication, access monitoring, and regular security audits.
  4. Ensure your organization complies with applicable regulations and industry standards.