catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud KMS Crypto Keys

A key contains one or more versions along with metadata. The actual contents of the key are stored in the version.

Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of sensitive data or for the creation or verification of digital signatures.

cloudkms.​cryptoKeys.​update

Can be used to change key rotation settings, impairing defense.

Risks

  1. Defense destruction (EVASION)
  2. Metadata destruction (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​kms/​docs/​resource-​hierarchy
  • https:​/​/​cloud.​google.​com/​kms/​docs/​iam
  • https:​/​/​cloud.​google.​com/​kms/​docs/​reference/​rest

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog