More Info:

Service account keys should be managed by Google to ensure that they are as secure as possible, including key rotations and restrictions to the accessibility of the keys.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Keys Should Be Managed By Google” in GCP, follow the below steps using GCP console:
  1. Open the GCP Console and navigate to the project for which you want to remediate the misconfiguration.
  2. Click on the “IAM & Admin” option in the left-hand menu.
  3. Click on the “Service Accounts” tab.
  4. Select the service account for which you want to remediate the misconfiguration.
  5. Click on the “Edit” button at the top of the page.
  6. Scroll down to the “Keys” section.
  7. Click on the “Delete” button next to any existing keys that are not managed by Google.
  8. Click on the “Create Key” button.
  9. Select the “JSON” key type.
  10. Click on the “Create” button.
By following these steps, you have now remediated the misconfiguration “Keys Should Be Managed By Google” in GCP by deleting any existing keys that are not managed by Google and creating a new key that is managed by Google.

The “Keys Should Be Managed By Google” misconfiguration in GCP means that there are service account keys being used that are not managed by Google. To remediate this issue, you can follow these steps using the GCP CLI:
  1. Identify the service account keys that are not managed by Google:
gcloud iam service-accounts keys list --iam-account [SERVICE-ACCOUNT-EMAIL]
Note: Replace [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to check.
  1. Delete the non-managed service account keys:
gcloud iam service-accounts keys delete [KEY-ID] --iam-account [SERVICE-ACCOUNT-EMAIL]
Note: Replace [KEY-ID] with the ID of the non-managed key and [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to delete the key from.
  1. Enable automatic rotation of service account keys:
gcloud beta iam service-accounts keys create [KEY-NAME] --iam-account [SERVICE-ACCOUNT-EMAIL] --key-usage=sign-for-digital-signature --rotation-period=90d --next-rotation-time=60d
Note: Replace [KEY-NAME] with a name for the new key, [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to enable automatic rotation for, and adjust the rotation period and next rotation time to meet your requirements.By following these steps, you can remediate the “Keys Should Be Managed By Google” misconfiguration in GCP using the GCP CLI.
To remediate the “Keys Should Be Managed By Google” misconfiguration for GCP using Python, you can follow these steps:
  1. Install the Google Cloud SDK and authenticate to your GCP project using the command gcloud auth login.
  2. Install the google-cloud-iam Python library using the command pip install google-cloud-iam.
  3. Write a Python script that uses the google-cloud-iam library to remove any non-Google-managed service account keys. Here’s an example script: 
from google.cloud import iam

# Replace [PROJECT_ID] with your GCP project ID
client = iam.IAMClient(project="[PROJECT_ID]")

# Get a list of all service accounts in the project
accounts = client.list_service_accounts()

# Loop through each service account
for account in accounts:
    # Get a list of all keys for the service account
    keys = client.list_service_account_keys(account.name)

    # Loop through each key
    for key in keys:
        # Check if the key is user-managed
        if not key.key_origin.startswith("google"):
            # Delete the key
            client.delete_service_account_key(key.name)
  1. Run the Python script using the command python script.py. This will remove any non-Google-managed service account keys in your GCP project.
Note: Before running the script, make sure to review and understand the impact of removing non-Google-managed service account keys in your GCP project.