Service Account Keys Should Be Rotated
More Info:
Service account keys should be rotated periodically.Risk Level
HighAddress
SecurityCompliance Standards
CISGCP, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Service Account Keys Should Be Rotated” for GCP using GCP console, follow the steps below:
- Login to the Google Cloud Console using your credentials.
- Navigate to the IAM & Admin page from the left-hand menu.
- Click on Service Accounts from the list of options.
- Select the service account for which you want to rotate the keys.
- Click on the Edit button for the selected service account.
- Scroll down to the Keys section and click on the Add Key button.
- Select the type of key you want to add from the dropdown list.
- Click on the Create button to generate the new key.
- Once the new key is created, download it and store it securely.
- Delete the old key(s) that are no longer required.
Using CLI
Using CLI
To remediate the misconfiguration “Service Account Keys Should Be Rotated” for GCP using GCP CLI, you can follow the below steps:Replace [FILE_NAME] with the name of the file you want to create for the new key and replace [SERVICE_ACCOUNT_EMAIL] with the email of the Service Account that needs to be rotated.Replace [KEY_ID] with the ID of the key that needs to be deleted and replace [SERVICE_ACCOUNT_EMAIL] with the email of the Service Account.
- First, you need to identify the Service Account Keys that need to be rotated. You can use the below command to list all the Service Accounts in your project:
- Once you have identified the Service Account that needs to be rotated, you can create a new key for that Service Account using the below command:
- After creating the new key, you need to delete the old key. You can use the below command to list all the keys for a Service Account:
- Once you have identified the old key that needs to be deleted, you can use the below command to delete it:
- Finally, you need to ensure that the new key is being used by all the applications that were using the old key. You can update the applications with the new key manually or by using automation tools like Ansible or Terraform.
Using Python
Using Python
To remediate the misconfiguration “Service Account Keys Should Be Rotated” in GCP using Python, you can follow the below steps:Step 1: Install the required librariesInstall the Google Cloud SDK and the Python client library using pip.Step 2: Authenticate the clientAuthenticate the client using the service account key that you want to rotate.Step 3: Rotate the service account keyCreate a new service account key and delete the old one.Step 4: Save the new service account keySave the new service account key to a file.Step 5: Update the service account key in the applicationUpdate the service account key in the application with the new key that you have generated.Note: Make sure to update the service account key in all the places where it is being used.By following these steps, you can remediate the misconfiguration “Service Account Keys Should Be Rotated” in GCP using Python.