Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” in GCP using GCP console, follow the below steps:
- Open the GCP console and navigate to the IAM & Admin page.
- Click on the “Service accounts” tab.
- Select the service account for which you want to rotate the API keys.
- Click on the “Edit” button for that service account.
- Scroll down to the “Keys” section and click on “Add Key” button.
- Select the type of key you want to add. You can choose between JSON and P12 formats.
- Click on the “Create” button to generate a new API key.
- Once the new key is generated, download it and store it in a secure location.
- Delete the old API key that needs to be rotated.
- Repeat the above steps periodically to rotate the API keys at regular intervals.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” for GCP using GCP CLI, follow the below steps:
- Open the Cloud Shell in the GCP console.
-
Run the following command to list all the service accounts in the project:
- Select the service account for which you want to rotate the API keys.
-
Run the following command to list all the keys for the selected service account:
Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.
- Identify the key that needs to be rotated and note down its ID.
-
Run the following command to delete the key:
Replace [KEY_ID] with the ID of the key to be deleted and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.
-
Run the following command to create a new key:
Replace [OUTPUT_FILE] with the name of the file to which the new key will be written and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.
- Set a reminder to periodically rotate the API keys for all the service accounts in the project.
Using Python
Using Python
To remediate the misconfiguration “Ensure API Keys Are Rotated Periodically” for GCP using Python, you can follow the below steps:Note: You will need to replace
- First, we need to list all the API keys that are present in the GCP project. This can be done using the
google-authandgoogle-api-python-clientPython libraries.
- Once we have the list of API keys, we can check the creation time of each key using the
keyVersionAPI.
- If the key is older than the rotation period (e.g. 90 days), we can rotate the key by creating a new key version and setting it as the primary version.
- Finally, we can log the details of the key rotation for auditing purposes.
<path_to_service_account_key_file> with the path to your GCP service account key file, <project_id> with your GCP project ID, and <key_ring_name> with the name of the key ring that contains the API keys. You will also need to adjust the rotation period as per your organization’s policies.