Policy Packs

guardrails-samples

Ensure crypto keys are only accessible to authorized users and services, thereby preventing potential data breaches and maintaining compliance.

Enforce GCP KMS Cryptographic Keys Are Not Publicly Accessible

main

gcp_kms_crypto_key_policy_trusted_access

Check or Enforce access checking on the GCP KMS Crypto Key policy.&#92;n&#92;nGoogle Cloud IAM allows you to control who has access to the&#92;nkms crypto key via an IAM Policy. The Trusted Access policy&#92;nallows you to configure whether Guardrails will evaluate or&#92;nenforce restrictions on which members are allowed to be granted&#92;naccess.&#92;n&#92;nIf enabled, the members in the IAM policy will be evaluated&#92;nagainst the list of allowed members in each of the Trusted&#92;nAccess sub-policies (Trusted Access &gt; Domains,&#92;nTrusted Access &gt; Groups, etc).&#92;n&#92;nIf set to &quot;Enforce: Trusted Access &gt; *&quot;, access to non-trusted&#92;nmembers will be removed.&#92;n

cryptoKeyPolicyTrustedAccess

GCP > KMS > Crypto Key > Policy > Trusted Access

gcp_kms_crypto_key_policy_trusted_access_all_authenticated

Determine whether public access may be granted on GCP KMS Crypto Key policy.&#92;nThis policy is used by the GCP &gt; KMS &gt; Crypto Key &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether grants to `allAuthenticatedUsers` is allowed.&#92;n

cryptoKeyPolicyTrustedAllAuthenticated

GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated

gcp_kms_crypto_key_policy_trusted_access_all_users

Determine whether anonymous access may be granted on GCP KMS Crypto Key policy.&#92;nThis policy is used by the GCP &gt; KMS &gt; Crypto Key &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether grants to `allUsers` is allowed.&#92;n

cryptoKeyPolicyTrustedAllUsers

GCP > KMS > Crypto Key > Policy > Trusted Access > All Users

Enforce GCP KMS Crypto Keys Are Not Publicly Accessible

turbot_policy_setting.gcp_kms_crypto_key_policy_trusted_access

turbot_policy_setting.gcp_kms_crypto_key_policy_trusted_access_all_authenticated

turbot_policy_setting.gcp_kms_crypto_key_policy_trusted_access_all_users

Policy	Setting	Note
GCP > KMS > Crypto Key > Policy > Trusted Access	Check: Trusted Access > *
GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated	Do not allow allAuthenticatedUsers
GCP > KMS > Crypto Key > Policy > Trusted Access > All Users	Do not allow allUsers

Policy Settings