The IAM Privilege Catalogservices / Google Cloud / Cloud KMS EKM Configs
A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC.
cloudkms.ekmConfigs.update
Allows changing or removing the default EKM connection for this project and location. This may cause keys to be inaccessible, creating a DOS.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog