GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Disable User-Managed Key Creation for Service Accounts
More Info:
Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the “Disable Service Account Key Creation” organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP console, please follow the below steps:
- Open the GCP Console and navigate to the IAM & Admin page.
- Click on the “Service Accounts” tab.
- Select the Service Account for which you want to disable User-Managed Key Creation.
- Click on the “Edit” button in the Service Account details page.
- Scroll down to the “Key Management” section and click on the “Show More” link.
- Under the “Key Management” section, you will see an option “User-managed keys”. Disable this option.
- Click on the “Save” button to save the changes.
By following these steps, you will successfully remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP console.
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP CLI, follow the below steps:
Step 1: Open the Google Cloud Shell or Terminal window.
Step 2: Run the following command to check the current status of User-Managed Key Creation for Service Accounts:
gcloud iam service-accounts get-iam-policy [SERVICE_ACCOUNT_EMAIL] --format=json > policy.json
Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to check the User-Managed Key Creation status.
Step 3: Open the policy.json file in an editor and check the “bindings” section for the following entry:
"members": [
"user:*",
"serviceAccount:*",
"group:*"
],
"role": "roles/iam.serviceAccountKeyAdmin"
If this entry is present, it means that User-Managed Key Creation is enabled for the service account.
Step 4: To disable User-Managed Key Creation, run the following command:
gcloud iam service-accounts set-iam-policy [SERVICE_ACCOUNT_EMAIL] policy.json --quiet
Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable User-Managed Key Creation.
Step 5: Open the policy.json file in an editor and remove the following entry from the “bindings” section:
{
"members": [
"user:*",
"serviceAccount:*",
"group:*"
],
"role": "roles/iam.serviceAccountKeyAdmin"
}
Step 6: Save the policy.json file and run the following command to update the policy for the service account:
gcloud iam service-accounts set-iam-policy [SERVICE_ACCOUNT_EMAIL] policy.json --quiet
Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to update the policy.
After following these steps, User-Managed Key Creation will be disabled for the specified service account.
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” in GCP using Python, follow these steps:
- Import the required libraries:
from googleapiclient import discovery
from google.oauth2 import service_account
- Set up the credentials for the service account that has the necessary permissions to make changes to the GCP project:
credentials = service_account.Credentials.from_service_account_file(
'/path/to/service_account_key.json')
- Create a
ServiceUsageclient object:
serviceusage = discovery.build('serviceusage', 'v1', credentials=credentials)
- Retrieve the current state of the
iam.googleapis.comservice:
service_name = 'iam.googleapis.com'
parent = 'projects/PROJECT_ID'
services = serviceusage.services().list(parent=parent).execute()
service = next((s for s in services['services'] if s['config']['name'] == service_name), None)
- Check if user-managed keys are currently allowed for service accounts:
if 'iam.googleapis.com/allowServiceAccountKeyCreation' not in service['config']['acquirerSettings']:
print('User-managed keys are already disabled for service accounts.')
else:
print('User-managed keys are currently allowed for service accounts.')
- If user-managed keys are currently allowed, update the service configuration to disable them:
if 'iam.googleapis.com/allowServiceAccountKeyCreation' not in service['config']['acquirerSettings']:
print('User-managed keys are already disabled for service accounts.')
else:
print('Disabling user-managed keys for service accounts...')
service['config']['acquirerSettings']['iam.googleapis.com/allowServiceAccountKeyCreation'] = False
serviceusage.services().patch(name=service['name'], body=service).execute()
print('User-managed keys have been disabled for service accounts.')
Note: Replace PROJECT_ID with the ID of the GCP project you want to remediate. Also, make sure that the service account key file (service_account_key.json) has the necessary permissions to make changes to the GCP project.