kms_key_not_publicly_accessible

[NetaHa]

Hi,
I noticed that the CheckID: kms_key_not_publicly_accessible is present in both GCP and AWS. Is this by design?
The prowler version I'm using is 5.4.0.
Thank you.

[danibarranqueroo]

Hi @NetaHa!
Yes, this is by design.
The check kms_key_not_publicly_accessible exists for both AWS and GCP in Prowler, but each implementation is specific to its respective cloud provider:
For AWS, the check evaluates AWS KMS key policies to ensure that no keys are publicly accessible (for example, by having a policy that allows "Principal": "*" without proper conditions).

For GCP, the check looks at Cloud KMS CryptoKey IAM policies to ensure that no keys are accessible to allUsers or allAuthenticatedUsers, which would make them public.

While both checks share the same ID and a similar security goal (ensuring KMS keys are not publicly accessible), they are implemented separately for each provider and operate according to the specifics of AWS and GCP.
Let us know if you have any more questions!