Disable User-Managed Key Creation for Service Accounts
More Info:
Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the “Disable Service Account Key Creation” organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP console, please follow the below steps:
- Open the GCP Console and navigate to the IAM & Admin page.
- Click on the “Service Accounts” tab.
- Select the Service Account for which you want to disable User-Managed Key Creation.
- Click on the “Edit” button in the Service Account details page.
- Scroll down to the “Key Management” section and click on the “Show More” link.
- Under the “Key Management” section, you will see an option “User-managed keys”. Disable this option.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP CLI, follow the below steps:Step 1: Open the Google Cloud Shell or Terminal window.Step 2: Run the following command to check the current status of User-Managed Key Creation for Service Accounts:Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to check the User-Managed Key Creation status.Step 3: Open the policy.json file in an editor and check the “bindings” section for the following entry:If this entry is present, it means that User-Managed Key Creation is enabled for the service account.Step 4: To disable User-Managed Key Creation, run the following command:Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable User-Managed Key Creation.Step 5: Open the policy.json file in an editor and remove the following entry from the “bindings” section:Step 6: Save the policy.json file and run the following command to update the policy for the service account:Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to update the policy.After following these steps, User-Managed Key Creation will be disabled for the specified service account.
Using Python
Using Python
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” in GCP using Python, follow these steps:Note: Replace
- Import the required libraries:
- Set up the credentials for the service account that has the necessary permissions to make changes to the GCP project:
- Create a
ServiceUsageclient object:
- Retrieve the current state of the
iam.googleapis.comservice:
- Check if user-managed keys are currently allowed for service accounts:
- If user-managed keys are currently allowed, update the service configuration to disable them:
PROJECT_ID with the ID of the GCP project you want to remediate. Also, make sure that the service account key file (service_account_key.json) has the necessary permissions to make changes to the GCP project.