More Info:

Security risks involved in using API-Keys appear below: • API keys are simple encrypted strings • API keys do not identify the user or the application making the API request • API keys are typically accessible to clients, making it easy to discover and steal an API key To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.

Risk Level

High

Address

Security, Reliability

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of API keys not being created for a project in GCP, you can follow the below steps using the GCP console:
  1. Go to the GCP console and select the project for which you want to remediate the misconfiguration.
  2. Navigate to the “APIs & Services” section from the left-hand side menu.
  3. Click on the “Credentials” tab from the top menu.
  4. On the Credentials page, you will see a list of all the existing credentials for the project.
  5. Look for any API keys that have been created for the project. If you find any, select them and click on the “Delete” button to remove them.
  6. If there are no API keys, then the misconfiguration is already remediated.
  7. To prevent API keys from being created in the future, you can go to the “APIs & Services” section and click on the “Restrict keys” button.
  8. On the Restrict keys page, select the “Do not restrict key” option and click on the “Save” button.
  9. This will prevent any API keys from being created for the project in the future.
By following these steps, you can remediate the misconfiguration of API keys not being created for a project in GCP.

To remediate the misconfiguration “Ensure API Keys Are Not Created For A Project” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list all the projects in your GCP account:
gcloud projects list
  1. Select the project for which you want to ensure that API keys are not created.
  2. Run the following command to check if any API keys are created for the selected project:
gcloud iam service-accounts keys list --iam-account [SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com
Note: Replace [SA-NAME] with the name of the service account and [PROJECT-ID] with the ID of the selected project.
  1. If any API keys are listed, delete them using the following command:
gcloud iam service-accounts keys delete [KEY-ID] --iam-account [SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com
Note: Replace [KEY-ID] with the ID of the API key you want to delete, [SA-NAME] with the name of the service account and [PROJECT-ID] with the ID of the selected project.
  1. Repeat steps 4 and 5 for all the service accounts in the selected project.
  2. Once all the API keys are deleted, ensure that the service accounts are not granted any unnecessary permissions.
  3. Verify that no API keys are created for the selected project using the following command:
gcloud iam service-accounts keys list --iam-account [SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com
Note: Replace [SA-NAME] with the name of the service account and [PROJECT-ID] with the ID of the selected project.
  1. If no API keys are listed, the remediation is complete.
To remediate the issue of ensuring API keys are not created for a project in GCP, you can use the following steps using Python:
  1. First, authenticate to your GCP project using the google-auth library. You can install it using pip:
pip install google-auth
  1. Next, use the google-cloud-resource-manager library to retrieve the list of all projects in your GCP account. You can install it using pip:
pip install google-cloud-resource-manager
  1. Once you have the list of projects, loop through each project and check if there are any active API keys associated with it. You can use the google-cloud-kms library to list the keys associated with a project:
pip install google-cloud-kms
  1. If you find any active API keys associated with a project, you can delete them using the google-cloud-kms library:
from google.cloud import kms_v1

kms_client = kms_v1.KeyManagementServiceClient()

# Replace [PROJECT_ID] and [KEY_RING_ID] with your project and key ring IDs
parent = kms_client.key_ring_path('[PROJECT_ID]', '[KEY_RING_ID]')

# Replace [KEY_ID] with the ID of the key to delete
key_id = kms_client.crypto_key_path('[PROJECT_ID]', '[KEY_RING_ID]', '[KEY_ID]')

# Delete the key
kms_client.destroy_crypto_key(key_id)
  1. Finally, you can revoke the API key using the google-auth library:
from google.oauth2.credentials import Credentials

# Replace [API_KEY] with the API key to revoke
creds = Credentials.from_api_key('[API_KEY]')

# Revoke the API key
creds.revoke()
By following these steps, you can ensure that API keys are not created for a project in GCP and remediate any existing misconfigurations.

Additional Reading: