Keys Should Be Managed By Google
More Info:
Service account keys should be managed by Google to ensure that they are as secure as possible, including key rotations and restrictions to the accessibility of the keys.
Risk Level
High
Address
Security
Compliance Standards
CISGCP, CBP, HIPAA, ISO27001
Remediation
Using Console
To remediate the misconfiguration “Keys Should Be Managed By Google” in GCP, follow the below steps using GCP console:
- Open the GCP Console and navigate to the project for which you want to remediate the misconfiguration.
- Click on the “IAM & Admin” option in the left-hand menu.
- Click on the “Service Accounts” tab.
- Select the service account for which you want to remediate the misconfiguration.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Keys” section.
- Click on the “Delete” button next to any existing keys that are not managed by Google.
- Click on the “Create Key” button.
- Select the “JSON” key type.
- Click on the “Create” button.
By following these steps, you have now remediated the misconfiguration “Keys Should Be Managed By Google” in GCP by deleting any existing keys that are not managed by Google and creating a new key that is managed by Google.
Using CLI
The “Keys Should Be Managed By Google” misconfiguration in GCP means that there are service account keys being used that are not managed by Google. To remediate this issue, you can follow these steps using the GCP CLI:
- Identify the service account keys that are not managed by Google:
gcloud iam service-accounts keys list --iam-account [SERVICE-ACCOUNT-EMAIL]
Note: Replace [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to check.
- Delete the non-managed service account keys:
gcloud iam service-accounts keys delete [KEY-ID] --iam-account [SERVICE-ACCOUNT-EMAIL]
Note: Replace [KEY-ID] with the ID of the non-managed key and [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to delete the key from.
- Enable automatic rotation of service account keys:
gcloud beta iam service-accounts keys create [KEY-NAME] --iam-account [SERVICE-ACCOUNT-EMAIL] --key-usage=sign-for-digital-signature --rotation-period=90d --next-rotation-time=60d
Note: Replace [KEY-NAME] with a name for the new key, [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to enable automatic rotation for, and adjust the rotation period and next rotation time to meet your requirements.
By following these steps, you can remediate the “Keys Should Be Managed By Google” misconfiguration in GCP using the GCP CLI.
Using Python
To remediate the “Keys Should Be Managed By Google” misconfiguration for GCP using Python, you can follow these steps:
-
Install the Google Cloud SDK and authenticate to your GCP project using the command
gcloud auth login. -
Install the
google-cloud-iamPython library using the commandpip install google-cloud-iam. -
Write a Python script that uses the
google-cloud-iamlibrary to remove any non-Google-managed service account keys. Here’s an example script:
from google.cloud import iam
# Replace [PROJECT_ID] with your GCP project ID
client = iam.IAMClient(project="[PROJECT_ID]")
# Get a list of all service accounts in the project
accounts = client.list_service_accounts()
# Loop through each service account
for account in accounts:
# Get a list of all keys for the service account
keys = client.list_service_account_keys(account.name)
# Loop through each key
for key in keys:
# Check if the key is user-managed
if not key.key_origin.startswith("google"):
# Delete the key
client.delete_service_account_key(key.name)
- Run the Python script using the command
python script.py. This will remove any non-Google-managed service account keys in your GCP project.
Note: Before running the script, make sure to review and understand the impact of removing non-Google-managed service account keys in your GCP project.