Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure API Keys Are Restricted To Necessary APIs” for GCP using GCP console, please follow the below steps:
- Login to GCP console (https://console.cloud.google.com/).
- Select the project for which you want to remediate the misconfiguration.
- In the left-hand menu, click on “APIs & Services” and then click on “Credentials”.
- Select the API key that you want to restrict.
- Under “Key restriction”, select “HTTP referrers (web sites)”.
- In the “Website restrictions” section, add the domain name(s) of the websites that are allowed to use this API key.
- In the “API restrictions” section, select the APIs that are allowed to use this API key.
- Click on “Save” to apply the changes.
Using CLI
Using CLI
To remediate the misconfiguration of ensuring API keys are restricted to necessary APIs in GCP using GCP CLI, follow the below steps:Replace the [API_KEY_NAME] with the name of the API key that you want to update, [REFERER_URL] with the URL of the referring website, and [API_LIST] with the list of APIs that you want to allow for this API key.Replace [IP_ADDRESS] with the IP address that you want to allow for this API key.This command will display the details of the API key, including the allowed APIs and the restricted referer or IP address.By following the above steps, you can remediate the misconfiguration of ensuring API keys are restricted to necessary APIs in GCP using GCP CLI.
- First, identify the API keys that are not restricted to necessary APIs. You can use the following command to list all the API keys in your project:
- Once you have identified the API keys that are not restricted to necessary APIs, you can use the following command to update the API key and restrict it to specific APIs:
- If you want to restrict the API key to a specific IP address, use the following command:
- Finally, verify that the API key is now restricted to the necessary APIs by using the following command:
Using Python
Using Python
To remediate the misconfiguration “Ensure API Keys Are Restricted To Necessary APIs” for GCP using Python, follow these steps:
-
Identify the API keys that are not restricted to necessary APIs. You can do this by using the following command in the GCP Cloud Shell:
Replace [SA-NAME] with the name of the service account that you want to check.
-
Create a new API key with restricted access. You can do this by using the following Python code:
Replace [PATH TO YOUR SERVICE ACCOUNT JSON FILE] with the path to your service account JSON file, and [SA-NAME] with the name of the service account that you want to create the API key for. This code creates an API key with restricted access to the Storage API in the us-central1 region.
-
Delete the old API key. You can do this by using the following command in the GCP Cloud Shell:
Replace [KEY-ID] with the ID of the old API key that you want to delete, and [SA-NAME] with the name of the service account that the API key belongs to.
-
Verify that the new API key has restricted access. You can do this by using the following command in the GCP Cloud Shell:
Replace [SA-NAME] with the name of the service account that you created the new API key for. This command should return the new API key that you just created with restricted access.