---
names: 
  full: "Google API Key is not restricted for unused APIs"
  contextual: "API Key is not restricted for unused APIs"
description: "API Keys should only be used for services in cases where other authentication methods \
  are unavailable. API keys are always at risk because they can be viewed publicly, such as from \
  within a browser, or they can be accessed on a device where the key resides. It is recommended \ 
  to restrict API keys to use (call) only APIs required by an application."
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
frameworkMappings:
  - /frameworks/cis-gcp-v4.0.0/01/14
  - /frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management
  - /frameworks/nist-sp-800-53-r5/pl/08
  - /frameworks/nist-sp-800-53-r5/sa/08
  - /frameworks/pci-dss-v4.0/02/02/02
  - /frameworks/pci-dss-v4.0/06/02/01
  - /frameworks/iso-iec-27001-2022/08/27
  - /frameworks/nist-csf-v1.1/pr-ip/02
similarPolicies:
  cloudConformity:
    - url: "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudAPI/check-for-api-key-application-restrictions.html"
      name: "Check for API Key Application Restrictions"