Ensure API Keys Are Not Created For A Project
More Info:
Security risks involved in using API-Keys appear below: • API keys are simple encrypted strings • API keys do not identify the user or the application making the API request • API keys are typically accessible to clients, making it easy to discover and steal an API key To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.Risk Level
HighAddress
Security, ReliabilityCompliance Standards
CISGCP, CBP, HITRUST, SOC2, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of API keys not being created for a project in GCP, you can follow the below steps using the GCP console:
- Go to the GCP console and select the project for which you want to remediate the misconfiguration.
- Navigate to the “APIs & Services” section from the left-hand side menu.
- Click on the “Credentials” tab from the top menu.
- On the Credentials page, you will see a list of all the existing credentials for the project.
- Look for any API keys that have been created for the project. If you find any, select them and click on the “Delete” button to remove them.
- If there are no API keys, then the misconfiguration is already remediated.
- To prevent API keys from being created in the future, you can go to the “APIs & Services” section and click on the “Restrict keys” button.
- On the Restrict keys page, select the “Do not restrict key” option and click on the “Save” button.
- This will prevent any API keys from being created for the project in the future.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure API Keys Are Not Created For A Project” for GCP using GCP CLI, follow these steps:Note: Replace Note: Replace Note: Replace
- Open the Cloud Shell in the GCP Console.
- Run the following command to list all the projects in your GCP account:
- Select the project for which you want to ensure that API keys are not created.
- Run the following command to check if any API keys are created for the selected project:
[SA-NAME] with the name of the service account and [PROJECT-ID] with the ID of the selected project.- If any API keys are listed, delete them using the following command:
[KEY-ID] with the ID of the API key you want to delete, [SA-NAME] with the name of the service account and [PROJECT-ID] with the ID of the selected project.- Repeat steps 4 and 5 for all the service accounts in the selected project.
- Once all the API keys are deleted, ensure that the service accounts are not granted any unnecessary permissions.
- Verify that no API keys are created for the selected project using the following command:
[SA-NAME] with the name of the service account and [PROJECT-ID] with the ID of the selected project.- If no API keys are listed, the remediation is complete.
Using Python
Using Python
To remediate the issue of ensuring API keys are not created for a project in GCP, you can use the following steps using Python:By following these steps, you can ensure that API keys are not created for a project in GCP and remediate any existing misconfigurations.
- First, authenticate to your GCP project using the
google-authlibrary. You can install it using pip:
- Next, use the
google-cloud-resource-managerlibrary to retrieve the list of all projects in your GCP account. You can install it using pip:
- Once you have the list of projects, loop through each project and check if there are any active API keys associated with it. You can use the
google-cloud-kmslibrary to list the keys associated with a project:
- If you find any active API keys associated with a project, you can delete them using the
google-cloud-kmslibrary:
- Finally, you can revoke the API key using the
google-authlibrary: