catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud KMS Crypto Key Versions

A key version contains key material used for encryption or signing.

Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of sensitive data or for the creation or verification of digital signatures.

cloudkms.​cryptoKeyVersions.​get

This includes infra discovery because key metadata such as the algorithm are exposed. Does not give access to keys.

Risks

  1. Infrastructure discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​kms/​docs/​resource-​hierarchy
  • https:​/​/​cloud.​google.​com/​kms/​docs/​iam
  • https:​/​/​cloud.​google.​com/​kms/​docs/​reference/​rest

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog