This article provides instructions for using Google EKM Justification attribute in the Machina console.
Overview
Key Access Justification returns a reason each time an externally hosted key decrypts data. The reason is referred to as the Google EKM Justification Attribute. When a key is accessed, the key justification attribute is sent from Google Key Management Systems through the Google EKM interface to Ionic’s Google EKM integration and then to Ionic Machina. Ionic Machina processes the justification attribute if it is present. When you write Machina data access policies, access to keys is determined based on the policy and the value (or absence) of the justification attribute.
Prerequisites
To use Google EKM Key Access Justification, request permission here.
Once you are invited to participate in the Google EKM Key Access Justification program, you can access additional information at https://cloud.google.com/kms/docs/ekm-access-justification.
EKM Justification Attribute Values
The Google EKM Justification attribute comes into Ionic Machina as a Name/Value pair in the request metadata, also known as the environment attribute.
- The attribute Name is access-reason.ekm.cloud.google.com.
- The attribute Value can be any of the reasons listed in the following table.
Value/Reason |
Description |
CUSTOMER_INITIATED_ACCESS |
Customer used the account to perform any access to their own data which is authorized by their own IAM policy. |
MODIFIED_CUSTOMER_INITIATED_ |
Customer used the account to perform any access to their own data which is authorized by their own IAM policy, however a Google administrator has recently reset the superuser account associated with the user's Organization. |
GOOGLE_INITIATED_SYSTEM_OPERATION |
Google accessed customer data to help optimize the structure of the data or quality for future uses by the customer. This includes accessed for the purposes of indexing, structuring, precomputation, hashing, sharding and caching. This also includes backing up data for disaster recovery or data integrity reasons, and detecting errors that can be remedied from that backup data. Note that where the customer has delegated a managed control plane operation to Google, such as the creation of a managed instance group, all managed operations will show as system operations. Services such as the managed instance group manager that trigger downstream decryption operations do not have access to clear-text customer data. |
REASON_NOT_EXPECTED |
No reason is expected for this key request as the service in question has never integrated with Key Access Justifications, or is still in Preview and therefore may still have residual methods that call the external key manager but still do not provide a justification. |
CUSTOMER_INITIATED_SUPPORT |
Customer-initiated support, for example, "Case Number: ####". |
GOOGLE_INITIATED_SERVICE |
Google-initiated access, for example, to perform system management and troubleshooting, which includes:
|
THIRD_PARTY_DATA_REQUEST |
Google-initiated access in response to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own data. |
GOOGLE_INITIATED_REVIEW |
Google-initiated access for security, fraud, abuse, or compliance purposes, including:
|
REASON_UNSPECIFIED |
Key Access Justifications are enabled but no justification is available for the request. This may have been due to a transient error, a bug, or some other circumstance. |
Viewing the EKM Justification Attribute
To view the attribute, go to Machina Console -> Analytics -> Activity. In the Log, select the corresponding instance. Go the Environment Attributes at the bottom of the page.
Using EKM Justification Attribute with Ionic Machina Data Access Policies
Ionic Machina data access policies determine whether a key request should be allowed or denied based on the request context which includes the attributes on the key being requested, the metadata associated with the request, the entity making the request, and other factors.
Writing a data policy for Google EKM justification
To write a data policy for Google EKM justification:
- In the Machina Console, click on Data Policies.
- Click Create Data Policy, enter a name for the policy, and click Create.
- Click Enable Policy to activate the policy.
- Click Create Rule.
- Click Deny, then Advanced. Follow the next steps very carefully.
- Click in the Attribute field on the left and type “environment:access-reason.ekm.cloud.google.com” and press Enter.
- In the Attribute field, select “specific values” in the dropdown.
- A new field will appear to the right. In that field type the justification value(s) you would like to use. For example, type “CUSTOMER_INITIATED_SUPPORT” and hit enter. You can enter as many justification values as you would like in this field.
- After you have entered the values you want, click Create.
After the policy has been created, you can go back to the policy rule and add and remove justification values as desired.
Creating an Allow All policy
For demos, it is easiest to create an Ionic Policy named “Allow All” that will allow all key requests that are not explicitly denied by another policy.
To create an Allow All policy:
- Click on Data Policies on the Machina Console.
- Click Create Data Policy, enter a name for the policy (“Allow All”), and click Create.
- Click Enable Policy to activate the policy.
- Click Create Rule, then click Create without making any changes.
More on Machina Data Access Policies
Machina data access policies are almost like a programming language and can be constructed in many ways to fit almost any use case.
Considering the above scenario with an Allow All policy, you can set up the Justification policy in any of the following ways:
- Deny access if the justification attribute has a specific value (as detailed above).
- Deny access if the justification attribute does not have a specific value.
You can also set up a policy without the Allow All feature enabled.
- Allow access if the justification attribute has a specific value.
- Allow access if the justification attribute does not have a specific value.
Ionic Machina can also make decisions about many other factors such as the person or system making the request and attributes defined on the key when it was created.
Comments
0 comments
Article is closed for comments.