Ensure API Keys Are Restricted To Necessary APIs

​

More Info:

Security risks involved in using API-Keys are below: • API keys are simple encrypted strings • API keys do not identify the user or the application making the API request • API keys are typically accessible to clients, making it easy to discover and steal an API key In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn’t otherwise need a backend server, API keys are the simplest way to authenticate to that API. In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.

​

Risk Level

Medium

​

Address

Security, Reliability

​

Compliance Standards

CISGCP, CBP

​

Remediation

​

Using Console

To remediate the misconfiguration “Ensure API Keys Are Restricted To Necessary APIs” for GCP using GCP console, please follow the below steps:

1. Login to GCP console (https://console.cloud.google.com/).
2. Select the project for which you want to remediate the misconfiguration.
3. In the left-hand menu, click on “APIs & Services” and then click on “Credentials”.
4. Select the API key that you want to restrict.
5. Under “Key restriction”, select “HTTP referrers (web sites)“.
6. In the “Website restrictions” section, add the domain name(s) of the websites that are allowed to use this API key.
7. In the “API restrictions” section, select the APIs that are allowed to use this API key.
8. Click on “Save” to apply the changes.

By following these steps, the API key will be restricted to only the necessary APIs and the risk of unauthorized access will be reduced.

​

Using CLI

To remediate the misconfiguration of ensuring API keys are restricted to necessary APIs in GCP using GCP CLI, follow the below steps:

1. First, identify the API keys that are not restricted to necessary APIs. You can use the following command to list all the API keys in your project:

gcloud beta services api-keys list

2. Once you have identified the API keys that are not restricted to necessary APIs, you can use the following command to update the API key and restrict it to specific APIs:

gcloud beta services api-keys update [API_KEY_NAME] --restrict-referer=[REFERER_URL] --allowed-apis=[API_LIST]

Replace the [API_KEY_NAME] with the name of the API key that you want to update, [REFERER_URL] with the URL of the referring website, and [API_LIST] with the list of APIs that you want to allow for this API key.

3. If you want to restrict the API key to a specific IP address, use the following command:

gcloud beta services api-keys update [API_KEY_NAME] --restrict-ip=[IP_ADDRESS] --allowed-apis=[API_LIST]

Replace [IP_ADDRESS] with the IP address that you want to allow for this API key.

4. Finally, verify that the API key is now restricted to the necessary APIs by using the following command:

gcloud beta services api-keys describe [API_KEY_NAME]

This command will display the details of the API key, including the allowed APIs and the restricted referer or IP address.

By following the above steps, you can remediate the misconfiguration of ensuring API keys are restricted to necessary APIs in GCP using GCP CLI.

​

Using Python

To remediate the misconfiguration “Ensure API Keys Are Restricted To Necessary APIs” for GCP using Python, follow these steps:

1. Identify the API keys that are not restricted to necessary APIs. You can do this by using the following command in the GCP Cloud Shell:

   gcloud beta iam service-accounts keys list --iam-account [SA-NAME] --filter="keyRestrictions.type:unspecified"
   

   Replace [SA-NAME] with the name of the service account that you want to check.

2. Create a new API key with restricted access. You can do this by using the following Python code:

   from google.oauth2 import service_account
   from googleapiclient.discovery import build
   
   SCOPES = ['https://www.googleapis.com/auth/cloud-platform']
   SERVICE_ACCOUNT_FILE = '[PATH TO YOUR SERVICE ACCOUNT JSON FILE]'
   
   credentials = service_account.Credentials.from_service_account_file(
       SERVICE_ACCOUNT_FILE, scopes=SCOPES)
   
   service = build('iamcredentials', 'v1', credentials=credentials)
   
   response = service.projects().serviceAccounts().keys().create(
       name='projects/-/serviceAccounts/[SA-NAME]',
       body={
           'keyAlgorithm': 'KEY_ALG_RSA_2048',
           'keyRestrictions': {
               'allowedRegions': ['us-central1'],
               'allowedServices': ['storage.googleapis.com']
           }
       }
   ).execute()
   
   print(response)
   

   Replace [PATH TO YOUR SERVICE ACCOUNT JSON FILE] with the path to your service account JSON file, and [SA-NAME] with the name of the service account that you want to create the API key for.

   This code creates an API key with restricted access to the Storage API in the us-central1 region.

3. Delete the old API key. You can do this by using the following command in the GCP Cloud Shell:

   gcloud beta iam service-accounts keys delete [KEY-ID] --iam-account [SA-NAME]
   

   Replace [KEY-ID] with the ID of the old API key that you want to delete, and [SA-NAME] with the name of the service account that the API key belongs to.

4. Verify that the new API key has restricted access. You can do this by using the following command in the GCP Cloud Shell:

   gcloud beta iam service-accounts keys list --iam-account [SA-NAME] --filter="keyRestrictions.type:asymmetric_public"
   

   Replace [SA-NAME] with the name of the service account that you created the new API key for. This command should return the new API key that you just created with restricted access.

By following these steps, you can remediate the misconfiguration “Ensure API Keys Are Restricted To Necessary APIs” for GCP using Python.

​

Additional Reading:

• https://cloud.google.com/docs/authentication/api-keys