More Info:

Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the “Disable Service Account Key Creation” organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP console, please follow the below steps:

  1. Open the GCP Console and navigate to the IAM & Admin page.
  2. Click on the “Service Accounts” tab.
  3. Select the Service Account for which you want to disable User-Managed Key Creation.
  4. Click on the “Edit” button in the Service Account details page.
  5. Scroll down to the “Key Management” section and click on the “Show More” link.
  6. Under the “Key Management” section, you will see an option “User-managed keys”. Disable this option.
  7. Click on the “Save” button to save the changes.

By following these steps, you will successfully remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP console.

Using CLI

To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP CLI, follow the below steps:

Step 1: Open the Google Cloud Shell or Terminal window.

Step 2: Run the following command to check the current status of User-Managed Key Creation for Service Accounts:

gcloud iam service-accounts get-iam-policy [SERVICE_ACCOUNT_EMAIL] --format=json > policy.json

Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to check the User-Managed Key Creation status.

Step 3: Open the policy.json file in an editor and check the “bindings” section for the following entry:

"members": [
    "user:*",
    "serviceAccount:*",
    "group:*"
],
"role": "roles/iam.serviceAccountKeyAdmin"

If this entry is present, it means that User-Managed Key Creation is enabled for the service account.

Step 4: To disable User-Managed Key Creation, run the following command:

gcloud iam service-accounts set-iam-policy [SERVICE_ACCOUNT_EMAIL] policy.json --quiet

Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable User-Managed Key Creation.

Step 5: Open the policy.json file in an editor and remove the following entry from the “bindings” section:

{
    "members": [
        "user:*",
        "serviceAccount:*",
        "group:*"
    ],
    "role": "roles/iam.serviceAccountKeyAdmin"
}

Step 6: Save the policy.json file and run the following command to update the policy for the service account:

gcloud iam service-accounts set-iam-policy [SERVICE_ACCOUNT_EMAIL] policy.json --quiet

Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to update the policy.

After following these steps, User-Managed Key Creation will be disabled for the specified service account.

Using Python

To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” in GCP using Python, follow these steps:

  1. Import the required libraries:
from googleapiclient import discovery
from google.oauth2 import service_account
  1. Set up the credentials for the service account that has the necessary permissions to make changes to the GCP project:
credentials = service_account.Credentials.from_service_account_file(
    '/path/to/service_account_key.json')
  1. Create a ServiceUsage client object:
serviceusage = discovery.build('serviceusage', 'v1', credentials=credentials)
  1. Retrieve the current state of the iam.googleapis.com service:
service_name = 'iam.googleapis.com'
parent = 'projects/PROJECT_ID'
services = serviceusage.services().list(parent=parent).execute()
service = next((s for s in services['services'] if s['config']['name'] == service_name), None)
  1. Check if user-managed keys are currently allowed for service accounts:
if 'iam.googleapis.com/allowServiceAccountKeyCreation' not in service['config']['acquirerSettings']:
    print('User-managed keys are already disabled for service accounts.')
else:
    print('User-managed keys are currently allowed for service accounts.')
  1. If user-managed keys are currently allowed, update the service configuration to disable them:
if 'iam.googleapis.com/allowServiceAccountKeyCreation' not in service['config']['acquirerSettings']:
    print('User-managed keys are already disabled for service accounts.')
else:
    print('Disabling user-managed keys for service accounts...')
    service['config']['acquirerSettings']['iam.googleapis.com/allowServiceAccountKeyCreation'] = False
    serviceusage.services().patch(name=service['name'], body=service).execute()
    print('User-managed keys have been disabled for service accounts.')

Note: Replace PROJECT_ID with the ID of the GCP project you want to remediate. Also, make sure that the service account key file (service_account_key.json) has the necessary permissions to make changes to the GCP project.