catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud KMS Crypto Key Versions

A key version contains key material used for encryption or signing.

Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of sensitive data or for the creation or verification of digital signatures.

cloudkms.​cryptoKeyVersions.​useToDecryptViaDelegation

Can be used to decrypt data encrypted with the key version through other Google Services.

Risks

  1. Data exfiltration (CRITICAL)
  2. Spend (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​kms/​docs/​resource-​hierarchy
  • https:​/​/​cloud.​google.​com/​kms/​docs/​iam
  • https:​/​/​cloud.​google.​com/​kms/​docs/​reference/​rest

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog