More Info:

Ensure that user-managed service account key upload is disabled within your Google Cloud project, folder, or the entire organization, through the “Disable Service Account Key Upload” organization policy. This allows you to control the upload process of unmanaged long-term credentials for your Cloud IAM service accounts. By default, users can upload keys to service accounts based on their Cloud IAM roles and permissions.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

To remediate the “Disable Service Account Key Upload” misconfiguration in GCP using the GCP console, follow the below steps:

  1. Login to your GCP console and navigate to the IAM & Admin section.

  2. Click on the “Service Accounts” tab.

  3. Select the service account for which you want to disable the key upload.

  4. Click on the “Edit” button located at the top of the page.

  5. Scroll down to the “Service Account Permissions” section and uncheck the “Create and manage keys” option.

  6. Click on the “Save” button to save the changes.

  7. Verify that the “Create and manage keys” option is unchecked for the service account.

By following these steps, you have successfully remediated the “Disable Service Account Key Upload” misconfiguration for the selected service account in GCP using the GCP console.

Using CLI

To remediate the “Disable Service Account Key Upload” misconfiguration in GCP using GCP CLI, you can follow the below steps:

  1. Open the Cloud Shell in your GCP Console.

  2. Run the following command to disable the Service Account Key Upload:

    gcloud iam service-accounts keys upload /dev/null --iam-account [SERVICE_ACCOUNT_EMAIL] --quiet

    Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable the key upload.

  3. Verify that the key upload is disabled by running the following command:

    gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]

    This command should return the service account details, including the “Disabled” field set to “true”.

  4. Repeat the above steps for all the service accounts in your GCP project.

By following the above steps, you can remediate the “Disable Service Account Key Upload” misconfiguration for GCP using GCP CLI.

Using Python

To disable service account key upload in GCP using Python, you can follow these steps:

  1. Import the necessary libraries:
from googleapiclient.discovery import build
from google.oauth2 import service_account
  1. Set up authentication by creating a service account and downloading its JSON key file. Then, create a credentials object using the key file:
credentials = service_account.Credentials.from_service_account_file('<path_to_key_file>')
  1. Create a GCP service object for the IAM API:
service = build('iam', 'v1', credentials=credentials)
  1. Use the projects.serviceAccounts.update method to update the service account configuration:
project_id = '<your_project_id>'
service_account_email = '<your_service_account_email>'

request_body = {
    'projectId': project_id,
    'uniqueId': service_account_email,
    'disableKeyUpload': True
}

response = service.projects().serviceAccounts().update(name='projects/-/serviceAccounts/' + service_account_email, body=request_body).execute()
  1. Verify that the configuration has been updated by checking the disableKeyUpload field of the service account:
response = service.projects().serviceAccounts().get(name='projects/-/serviceAccounts/' + service_account_email).execute()
print(response['disableKeyUpload'])

This should return True, indicating that service account key upload has been disabled.