More Info:

Security risks involved in using API-Keys appear below: • API keys are simple encrypted strings • API keys do not identify the user or the application making the API request • API keys are typically accessible to clients, making it easy to discover and steal an API key In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn’t otherwise need a backend server, API keys are the simplest way to authenticate to that API. In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure API Keys Are Restricted To Specific Hosts And Apps” for GCP using GCP console, follow the below steps:
  1. Open the GCP Console and navigate to the API Manager Dashboard.
  2. Select the API key that you want to restrict.
  3. Click on the “Edit” button to edit the API key.
  4. In the “Application restrictions” section, select the “HTTP referrers (web sites)” option.
  5. Add the hostnames or IP addresses of the specific hosts and apps that should be allowed to use the API key.
  6. Click on the “Save” button to save the changes.
By following these steps, you have successfully restricted the API key to specific hosts and apps. Now, the API key will only work if the requests are made from the allowed hosts and apps.

To remediate the misconfiguration “Ensure API Keys Are Restricted To Specific Hosts And Apps” for GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and select the project for which you want to remediate the misconfiguration.
  2. Open the Cloud Shell by clicking on the icon at the top right corner of the console.
  3. In the Cloud Shell, enter the following command to list all the API keys in the project: 
gcloud beta services api-keys list
  1. Identify the API key that needs to be restricted and copy its name.
  2. Enter the following command to update the API key and restrict it to specific hosts and apps: 
gcloud beta services api-keys update [API_KEY_NAME] --allowed-ips=[IP_ADDRESS_RANGE] --allowed-apps=[APP_PACKAGE_NAME]
Replace [API_KEY_NAME] with the name of the API key you identified in step 4.Replace [IP_ADDRESS_RANGE] with the IP address range that should be allowed to use the API key. For example, you can use “192.168.0.0/16” to allow all IP addresses in the range 192.168.0.0 to 192.168.255.255.Replace [APP_PACKAGE_NAME] with the name of the app package that should be allowed to use the API key. For example, you can use “com.example.myapp” to allow only the app with that package name to use the API key.
  1. Verify that the API key has been updated by entering the following command:
gcloud beta services api-keys describe [API_KEY_NAME]
This will display the updated configuration for the API key.By following these steps, you have successfully remediated the misconfiguration “Ensure API Keys Are Restricted To Specific Hosts And Apps” for GCP using GCP CLI.
To remediate the misconfiguration of ensuring API keys are restricted to specific hosts and apps in GCP using Python, follow these steps:
  1. First, you need to create a new API key or update an existing one using the Cloud Console or the Cloud SDK.
  2. Once you have the API key, you can restrict it to specific hosts and apps by creating a new API key restriction.
  3. To create an API key restriction, you can use the Google Cloud IAM API in Python. Here is a sample code snippet to create an API key restriction: 
import google.auth
from google.oauth2.credentials import Credentials
from google.auth.transport.requests import AuthorizedSession
from google.cloud.iam_credentials_v1 import IAMCredentialsClient
from google.cloud.iam_credentials_v1.types import GenerateAccessTokenRequest

# Set the API key name and the list of allowed hosts and apps
api_key_name = "my-api-key"
allowed_hosts = ["example.com", "app.example.com"]
allowed_apps = ["my-app"]

# Get the IAM credentials client and the current credentials
credentials, project = google.auth.default()
iam_credentials_client = IAMCredentialsClient(credentials=credentials)

# Get the API key metadata
metadata_server_url = "http://metadata.google.internal/computeMetadata/v1/"
metadata_flavor = {"Metadata-Flavor": "Google"}
metadata_url = f"{metadata_server_url}/instance/service-accounts/default/token"
metadata_response = AuthorizedSession().get(metadata_url, headers=metadata_flavor)
metadata = metadata_response.json()
access_token = metadata["access_token"]

# Create the API key restriction
parent = f"projects/-/serviceAccounts/{project}.iam.gserviceaccount.com"
response = iam_credentials_client.generate_access_token(
    name=parent,
    delegates=[],
    scope=["https://www.googleapis.com/auth/cloud-platform"],
    audience=f"https://{api_key_name}.googleapis.com",
    include_email=True,
    options={"api_access_configs": [{"access_levels": [], "service": f"{api_key_name}.googleapis.com", "method": "*", "locations": allowed_hosts, "condition": {"expression": f"request.path.startsWith('/{app}/')"}}]},
    )

# Print the new access token
print(response.access_token)
In this code snippet, we first set the API key name and the list of allowed hosts and apps. Then, we get the IAM credentials client and the current credentials using the google.auth.default() function. Next, we get the API key metadata and create the API key restriction using the iam_credentials_client.generate_access_token() method. Finally, we print the new access token.Note that you need to replace the allowed_hosts and allowed_apps lists with your own values. Also, make sure to replace my-api-key with the name of your API key.

Additional Reading: