๐ก๏ธ Google IAM Service Account has User-Managed Keys๐ข
- Contextual name: ๐ก๏ธ Service Account has User-Managed Keys๐ข
- ID:
/ce/ca/google/iam/service-account-keys - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Similar Policiesโ
- Cloud Conformity: Delete User-Managed Service Account Keys
Descriptionโ
Descriptionโ
User-managed service accounts should not have user-managed keys.
Rationaleโ
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
โข Key storage
โข Key distribution
โข Key revocation
โข Key rotation
โข Protecting the keys from unauthorized users
โข Key recoveryEven with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels.
It is recommended to prevent user-managed service account keys.
... see more
Remediationโ
Remediationโ
From Google Cloud Consoleโ
- Go to the IAM page in the GCP Console using https://console.cloud.google.com/iam-admin/iam
- In the left navigation pane, click
Service accounts. All service accounts and their corresponding keys are listed.- Click the service account.
- Click the
editand delete the keys.From Google Cloud CLIโ
To delete a user managed Service Account Key:
gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ CIS GCP v1.2.0 โ ๐ผ 1.4 Ensure that there are only GCP-managed service account keys for each service account - Level 1 (Automated) | 1 | no data | |||
| ๐ผ CIS GCP v1.3.0 โ ๐ผ 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - Level 1 (Automated) | 1 | no data | |||
| ๐ผ CIS GCP v2.0.0 โ ๐ผ 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - Level 1 (Automated) | 1 | no data | |||
| ๐ผ CIS GCP v3.0.0 โ ๐ผ 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - Level 1 (Automated) | 1 | no data | |||
| ๐ผ Cloudaware Framework โ ๐ผ Credential Lifecycle Management | 18 | no data |