Disable Service Account Key Upload

More Info:

Ensure that user-managed service account key upload is disabled within your Google Cloud project, folder, or the entire organization, through the “Disable Service Account Key Upload” organization policy. This allows you to control the upload process of unmanaged long-term credentials for your Cloud IAM service accounts. By default, users can upload keys to service accounts based on their Cloud IAM roles and permissions.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Disable Service Account Key Upload” misconfiguration in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in your GCP Console.
Run the following command to disable the Service Account Key Upload:
```
gcloud iam service-accounts keys upload /dev/null --iam-account [SERVICE_ACCOUNT_EMAIL] --quiet
```
Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable the key upload.
Verify that the key upload is disabled by running the following command:
```
gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]
```
This command should return the service account details, including the “Disabled” field set to “true”.
Repeat the above steps for all the service accounts in your GCP project.

By following the above steps, you can remediate the “Disable Service Account Key Upload” misconfiguration for GCP using GCP CLI.

Using Python

To disable service account key upload in GCP using Python, you can follow these steps:

Import the necessary libraries:

from googleapiclient.discovery import build
from google.oauth2 import service_account

Set up authentication by creating a service account and downloading its JSON key file. Then, create a credentials object using the key file:

credentials = service_account.Credentials.from_service_account_file('<path_to_key_file>')

Create a GCP service object for the IAM API:

service = build('iam', 'v1', credentials=credentials)

Use the projects.serviceAccounts.update method to update the service account configuration:

project_id = '<your_project_id>'
service_account_email = '<your_service_account_email>'

request_body = {
    'projectId': project_id,
    'uniqueId': service_account_email,
    'disableKeyUpload': True
}

response = service.projects().serviceAccounts().update(name='projects/-/serviceAccounts/' + service_account_email, body=request_body).execute()

Verify that the configuration has been updated by checking the disableKeyUpload field of the service account:

response = service.projects().serviceAccounts().get(name='projects/-/serviceAccounts/' + service_account_email).execute()
print(response['disableKeyUpload'])

This should return True, indicating that service account key upload has been disabled.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Disable Service Account Key Upload

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation