Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP console, please follow the below steps:
- Open the GCP Console and navigate to the IAM & Admin page.
- Click on the “Service Accounts” tab.
- Select the Service Account for which you want to disable User-Managed Key Creation.
- Click on the “Edit” button in the Service Account details page.
- Scroll down to the “Key Management” section and click on the “Show More” link.
- Under the “Key Management” section, you will see an option “User-managed keys”. Disable this option.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” for GCP using GCP CLI, follow the below steps:Step 1: Open the Google Cloud Shell or Terminal window.Step 2: Run the following command to check the current status of User-Managed Key Creation for Service Accounts:Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to check the User-Managed Key Creation status.Step 3: Open the policy.json file in an editor and check the “bindings” section for the following entry:If this entry is present, it means that User-Managed Key Creation is enabled for the service account.Step 4: To disable User-Managed Key Creation, run the following command:Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable User-Managed Key Creation.Step 5: Open the policy.json file in an editor and remove the following entry from the “bindings” section:Step 6: Save the policy.json file and run the following command to update the policy for the service account:Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to update the policy.After following these steps, User-Managed Key Creation will be disabled for the specified service account.
Using Python
Using Python
To remediate the misconfiguration “Disable User-Managed Key Creation for Service Accounts” in GCP using Python, follow these steps:Note: Replace
- Import the required libraries:
- Set up the credentials for the service account that has the necessary permissions to make changes to the GCP project:
- Create a
ServiceUsageclient object:
- Retrieve the current state of the
iam.googleapis.comservice:
- Check if user-managed keys are currently allowed for service accounts:
- If user-managed keys are currently allowed, update the service configuration to disable them:
PROJECT_ID with the ID of the GCP project you want to remediate. Also, make sure that the service account key file (service_account_key.json) has the necessary permissions to make changes to the GCP project.