Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud Key Management Service, this could be an action such as using a key to access and decrypt data which that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
For further guidance, see our documentation on using Identity and Access Management securely.
Setting up Cloud KMS in a separate project
Cloud KMS could be run in an existing project, for example
this might be sensible if the data being encrypted with keys in Cloud KMS is
stored in the same project.
However, any user with
owner access on that project is then also able to
manage (and perform cryptographic operations with)
keys in Cloud KMS in that project. This is because the keys themselves are owned
project, of which the user is an
Instead, to allow for a separation of duties, you could run Cloud KMS in its
own project, for example
your-key-project. Then, depending on the strictness
of your separation requirements, you could either:
- (recommended) Create
ownerat the project level, and designate an Organization Admin granted at the organization-level. Unlike an
owner, an Organization Admin can't manage or use keys directly. They are restricted to setting IAM policies, which restrict who can manage and use keys. Using an organization-level node, you can further restrict permissions for projects in your organization.
- (not recommended) If you must continue to use the
ownerrole, ensure that it is granted to a different principal in
your-key-projectthan the principal who is the
ownercan still use keys, but only in a single project.