Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure API Keys Are Restricted To Specific Hosts And Apps” for GCP using GCP console, follow the below steps:
- Open the GCP Console and navigate to the API Manager Dashboard.
- Select the API key that you want to restrict.
- Click on the “Edit” button to edit the API key.
- In the “Application restrictions” section, select the “HTTP referrers (web sites)” option.
- Add the hostnames or IP addresses of the specific hosts and apps that should be allowed to use the API key.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure API Keys Are Restricted To Specific Hosts And Apps” for GCP using GCP CLI, follow these steps:Replace [API_KEY_NAME] with the name of the API key you identified in step 4.Replace [IP_ADDRESS_RANGE] with the IP address range that should be allowed to use the API key. For example, you can use “192.168.0.0/16” to allow all IP addresses in the range 192.168.0.0 to 192.168.255.255.Replace [APP_PACKAGE_NAME] with the name of the app package that should be allowed to use the API key. For example, you can use “com.example.myapp” to allow only the app with that package name to use the API key.This will display the updated configuration for the API key.By following these steps, you have successfully remediated the misconfiguration “Ensure API Keys Are Restricted To Specific Hosts And Apps” for GCP using GCP CLI.
- Open the Google Cloud Console and select the project for which you want to remediate the misconfiguration.
- Open the Cloud Shell by clicking on the icon at the top right corner of the console.
- In the Cloud Shell, enter the following command to list all the API keys in the project:
- Identify the API key that needs to be restricted and copy its name.
- Enter the following command to update the API key and restrict it to specific hosts and apps:
- Verify that the API key has been updated by entering the following command:
Using Python
Using Python
To remediate the misconfiguration of ensuring API keys are restricted to specific hosts and apps in GCP using Python, follow these steps:In this code snippet, we first set the API key name and the list of allowed hosts and apps. Then, we get the IAM credentials client and the current credentials using the
- First, you need to create a new API key or update an existing one using the Cloud Console or the Cloud SDK.
- Once you have the API key, you can restrict it to specific hosts and apps by creating a new API key restriction.
- To create an API key restriction, you can use the Google Cloud IAM API in Python. Here is a sample code snippet to create an API key restriction:
google.auth.default() function. Next, we get the API key metadata and create the API key restriction using the iam_credentials_client.generate_access_token() method. Finally, we print the new access token.Note that you need to replace the allowed_hosts and allowed_apps lists with your own values. Also, make sure to replace my-api-key with the name of your API key.