catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud KMS Crypto Key Versions

A key version contains key material used for encryption or signing.

Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of sensitive data or for the creation or verification of digital signatures.

cloudkms.​cryptoKeyVersions.​update

Can be used to disable a key version. While a key version is disabled, data encrypted with it cannot be accessed. The secret content of the key cannot be edited or destroyed via this method.

Risks

  1. Denial-of-service (HIGH)
  2. Metadata destruction (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​kms/​docs/​resource-​hierarchy
  • https:​/​/​cloud.​google.​com/​kms/​docs/​iam
  • https:​/​/​cloud.​google.​com/​kms/​docs/​reference/​rest

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog