services / Google Cloud / Cloud KMS Crypto Key Versions

A key version contains key material used for encryption or signing.

Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of sensitive data or for the creation or verification of digital signatures.


Can be used to disable a key version. While a key version is disabled, data encrypted with it cannot be accessed. The secret content of the key cannot be edited or destroyed via this method.



This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.


  • https:​/​/​cloud.​google.​com/​kms/​docs/​resource-​hierarchy
  • https:​/​/​cloud.​google.​com/​kms/​docs/​iam
  • https:​/​/​cloud.​google.​com/​kms/​docs/​reference/​rest
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog