Ensure API Keys Are Rotated Periodically
More Info:
Security risks involved in using API-Keys are listed below: • API keys are simple encrypted strings • API keys do not identify the user or the application making the API request • API keys are typically accessible to clients, making it easy to discover and steal an API key Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn’t otherwise need a backend server, API keys are the simplest way to authenticate to that API. Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Risk Level
Medium
Address
Security, Reliability
Compliance Standards
CISGCP, CBP
Remediation
Using Console
To remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” in GCP using GCP console, follow the below steps:
- Open the GCP console and navigate to the IAM & Admin page.
- Click on the “Service accounts” tab.
- Select the service account for which you want to rotate the API keys.
- Click on the “Edit” button for that service account.
- Scroll down to the “Keys” section and click on “Add Key” button.
- Select the type of key you want to add. You can choose between JSON and P12 formats.
- Click on the “Create” button to generate a new API key.
- Once the new key is generated, download it and store it in a secure location.
- Delete the old API key that needs to be rotated.
- Repeat the above steps periodically to rotate the API keys at regular intervals.
By following the above steps, you can ensure that API keys are rotated periodically for the selected service account in GCP.
Using CLI
To remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” for GCP using GCP CLI, follow the below steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to list all the service accounts in the project:
gcloud iam service-accounts list -
Select the service account for which you want to rotate the API keys.
-
Run the following command to list all the keys for the selected service account:
gcloud iam service-accounts keys list --iam-account [SERVICE_ACCOUNT_EMAIL]Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.
-
Identify the key that needs to be rotated and note down its ID.
-
Run the following command to delete the key:
gcloud iam service-accounts keys delete [KEY_ID] --iam-account [SERVICE_ACCOUNT_EMAIL]Replace [KEY_ID] with the ID of the key to be deleted and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.
-
Run the following command to create a new key:
gcloud iam service-accounts keys create [OUTPUT_FILE] --iam-account [SERVICE_ACCOUNT_EMAIL]Replace [OUTPUT_FILE] with the name of the file to which the new key will be written and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.
-
Set a reminder to periodically rotate the API keys for all the service accounts in the project.
By following these steps, you can remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” for GCP using GCP CLI.
Using Python
To remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” for GCP using Python, you can follow the below steps:
- First, we need to list all the API keys that are present in the GCP project. This can be done using the
google-authandgoogle-api-python-clientPython libraries.
from google.oauth2 import service_account
from googleapiclient.discovery import build
# Set the credentials
creds = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
# Build the GCP service object
service = build('cloudkms', 'v1', credentials=creds)
# List all the API keys in the project
keys = service.projects().locations().keyRings().cryptoKeys().list(parent='projects/<project_id>/locations/global/keyRings/<key_ring_name>').execute()
- Once we have the list of API keys, we can check the creation time of each key using the
keyVersionAPI.
# Loop through each key and check its creation time
for key in keys['cryptoKeys']:
key_versions = service.projects().locations().keyRings().cryptoKeys().cryptoKeyVersions().list(parent=key['name']).execute()
for key_version in key_versions['cryptoKeyVersions']:
create_time = key_version['createTime']
# Check if the key is older than the rotation period (e.g. 90 days)
# If it is, then rotate the key
- If the key is older than the rotation period (e.g. 90 days), we can rotate the key by creating a new key version and setting it as the primary version.
# Create a new key version
new_version = service.projects().locations().keyRings().cryptoKeys().cryptoKeyVersions().create(parent=key['name'], body={}).execute()
# Set the new version as the primary version
service.projects().locations().keyRings().cryptoKeys().updatePrimaryVersion(name=key['name'], body={'cryptoKeyVersionId': new_version['name'].split('/')[-1]}).execute()
- Finally, we can log the details of the key rotation for auditing purposes.
# Log the key rotation details
logging.info(f"Rotated API key {key['name']} with new version {new_version['name']} created at {new_version['createTime']}")
Note: You will need to replace <path_to_service_account_key_file> with the path to your GCP service account key file, <project_id> with your GCP project ID, and <key_ring_name> with the name of the key ring that contains the API keys. You will also need to adjust the rotation period as per your organization’s policies.
Additional Reading:
- [There is no option to automatically regenerate (rotate) API keys periodically.](There is no option to automatically regenerate (rotate) API keys periodically.)