Clean up access

After we complete copying your data from all appliances, we recommend that you remove the access previously granted to our service accounts. This applies the practice of least privilege to your data and helps ensure your data's security.

This section describes:

Revoking our service accounts from accessing your Cloud Storage buckets.
Revoking our service accounts from accessing your Cloud KMS roles.
Destroying the Cloud KMS key used to encrypt your data on Transfer Appliance.

Wait until we copy all of your data to Cloud Storage before completing the steps below.

Once the Cloud KMS key is destroyed, any encrypted data on Transfer Appliance cannot be recovered. Similarly, once you revoke the service accounts from Cloud Storage buckets and the Cloud KMS key, no further data can be copied from the appliance to your Cloud Storage buckets.

Revoking Cloud KMS key access for the service account

Revoking Cloud KMS key access for the Transfer Appliance service account ensures that we can no longer decrypt Transfer Appliance data on your behalf.

To revoke Cloud KMS CryptoKey Decrypter and Cloud KMS CryptoKey Public Key Viewer roles from the service account, follow these steps:

Google Cloud Console

Go to the Cryptographic Keys page in the Google Cloud console.

Go to the Cryptographic Keys page
Click the name of the key ring that contains the key used in Prepare the Cloud KMS key.
Select the checkbox for the key whose access you are revoking from the service account.
Click Show Info Panel.

The information panel is displayed.
To revoke the Cloud KMS CryptoKey Decrypter role from the service account, do the following:
1. In the Permissions tab, expand Cloud KMS CryptoKey Decrypter.
2. Locate the service account. It looks like the following example:
  
  service-PROJECT_ID@gcp-sa-transferappliance.iam.gserviceaccount.com
  
  In this example, PEOJECT_ID is the Google Cloud project ID that your key is under.
3. Click Delete.
4. In the delete window, select the service account and click Remove.
To revoke the Cloud KMS CryptoKey Public Key Viewer role from the service account, do the following:
1. In the Permissions tab, expand the Cloud KMS CryptoKey Public Key Viewer role.
2. Locate the session service account. It looks like the following example:
  
  service-PROJECT_ID@gcp-sa-transferappliance.iam.gserviceaccount.com
  
  In this example, PEOJECT_ID is the Google Cloud project ID that your key is under.
3. Click Delete.
4. In the delete window, select the checkbox next to the service account and click Remove.

Command line

Run the following command to revoke the roles/cloudkms.cryptoKeyDecrypter role from the session service account:
```
gcloud kms keys remove-iam-policy-binding KEY \
  --keyring KEY_RING \
  --location LOCATION \
  --member=serviceAccount:service-PROJECT_ID@gcp-sa-transferappliance.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyDecrypter
```
In this example:
- KEY: The name of the Cloud Key Management Service key. For example, ta-key.
- KEY_RING: The key ring's name.
- LOCATION: The Cloud Key Management Service location for the key ring. For example, global.
- PROJECT_ID: The Google Cloud project ID that your key is under.
Run the following command to revoke the roles/cloudkms.publicKeyViewer role from the session service account:
```
gcloud kms keys remove-iam-policy-binding KEY \
  --keyring KEY_RING \
  --location LOCATION \
  --member=serviceAccount:service-PROJECT_ID@gcp-sa-transferappliance.iam.gserviceaccount.com \
  --role roles/cloudkms.publicKeyViewer
```
In this example:
- KEY: The name of the Cloud Key Management Service key. For example, ta-key.
- KEY_RING: The key ring's name.
- LOCATION: The Cloud Key Management Service location for the key ring. For example, global.
- PROJECT_ID: The Google Cloud project ID that your key is under.

Revoking Cloud Storage bucket access for the service accounts

Revoking Cloud Storage bucket access for the Transfer Appliance service accounts ensures that we can no longer use Cloud Storage resources on your behalf.

To revoke Cloud Storage bucket access for the Transfer Appliance service accounts, do the following:

Google Cloud Console

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Buckets
Locate the Cloud Storage bucket that your data was copied to and select the checkbox next to the bucket name.
Click Show Info Panel.

The information panel is displayed.
In the Permissions tab, expand Storage Admin Role.
Locate the associated service accounts. There will be from 2 to 4 accounts depending on your configuration. Service accounts are described in Service account quick reference.

For each service account:
1. Click Delete.
2. To confirm deletion, select the checkbox next to the service account and click Remove.

Command line

Use the gsutil iam ch command:

gsutil iam ch -d \
serviceAccount:SESSION_ID@transfer-appliance-zimbru.iam.gserviceaccount.com:roles/storage.admin \
serviceAccount:project-IDENTIFIER@storage-transfer-service.gserviceaccount.comi \
gs://BUCKET_NAME

You may have additional service accounts, depending on your configuration. Refer to the Service account quick reference for details.

In this example:

SESSION_ID: The session ID for this particular transfer.
IDENTIFIER: A generated number specific to this particular project.
BUCKET_NAME: The name of your Cloud Storage bucket.

Destroying the Cloud KMS key

Destroying the Cloud KMS key ensures that any data previously encrypted by the key can no longer be decrypted by anyone.

For more information about destroying keys, see Destroying and restoring key versions.

To destroy the Cloud KMS key, do the following:

Google Cloud Console

Go to the Cryptographic Keys page in the Google Cloud console.

Go to the Cryptographic Keys page
Click the name of the key ring used to Prepare the Cloud KMS key.
Locate the row that contains the key you are destroying.
Select More > Destroy.

A confirmation dialog is displayed.
In the confirmation dialog, click Schedule destruction.

Command line

Use the gcloud kms keys version destroy command:

gcloud kms keys versions destroy VERSION_NUMBER
--keyring=KEY_RING \
--key=KEY --location=LOCATION \
--project=PROJECT_ID

In this example:

VERSION_NUMBER: The key's version number.
KEY_RING: The name of your key ring.
KEY: The name of your asymmetric key.
LOCATION: The Google Cloud location of the key ring.
PROJECT_ID: The Google Cloud project ID that your key is under.