Service account managed keys remediation

Using Console

Using CLI

The “Keys Should Be Managed By Google” misconfiguration in GCP means that there are service account keys being used that are not managed by Google. To remediate this issue, you can follow these steps using the GCP CLI:

Identify the service account keys that are not managed by Google:

gcloud iam service-accounts keys list --iam-account [SERVICE-ACCOUNT-EMAIL]

Note: Replace [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to check.

Delete the non-managed service account keys:

gcloud iam service-accounts keys delete [KEY-ID] --iam-account [SERVICE-ACCOUNT-EMAIL]

Note: Replace [KEY-ID] with the ID of the non-managed key and [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to delete the key from.

Enable automatic rotation of service account keys:

gcloud beta iam service-accounts keys create [KEY-NAME] --iam-account [SERVICE-ACCOUNT-EMAIL] --key-usage=sign-for-digital-signature --rotation-period=90d --next-rotation-time=60d

Note: Replace [KEY-NAME] with a name for the new key, [SERVICE-ACCOUNT-EMAIL] with the email address of the service account that you want to enable automatic rotation for, and adjust the rotation period and next rotation time to meet your requirements.By following these steps, you can remediate the “Keys Should Be Managed By Google” misconfiguration in GCP using the GCP CLI.

Using Python

To remediate the “Keys Should Be Managed By Google” misconfiguration for GCP using Python, you can follow these steps:

Install the Google Cloud SDK and authenticate to your GCP project using the command gcloud auth login.
Install the google-cloud-iam Python library using the command pip install google-cloud-iam.
Write a Python script that uses the google-cloud-iam library to remove any non-Google-managed service account keys. Here’s an example script:

from google.cloud import iam

# Replace [PROJECT_ID] with your GCP project ID
client = iam.IAMClient(project="[PROJECT_ID]")

# Get a list of all service accounts in the project
accounts = client.list_service_accounts()

# Loop through each service account
for account in accounts:
    # Get a list of all keys for the service account
    keys = client.list_service_account_keys(account.name)

    # Loop through each key
    for key in keys:
        # Check if the key is user-managed
        if not key.key_origin.startswith("google"):
            # Delete the key
            client.delete_service_account_key(key.name)

Run the Python script using the command python script.py. This will remove any non-Google-managed service account keys in your GCP project.

Note: Before running the script, make sure to review and understand the impact of removing non-Google-managed service account keys in your GCP project.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Service account managed keys remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation