Google CloudOverview
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated.
Rationale
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.
Each service account is associated with a key pair, which is managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides option to create one or more user-managed (also called as external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, user is enforced download the private key (which is not retained by Google). With external keys, users are responsible for security of the private key and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.
Remediation guidance
From Console
Delete external (user managed) Service Account Key older than 90 days
- Go to
APIs & Services\Credentialsusing https://console.cloud.google.com/apis/credentials - In Section
Service Account Keys, for every external (user managed) Service account key withcreation dateis more than or equal to past 90 days clickDelete Bin IcontoDelete Service Account key
Create New external (user managed) Service Account Key for a Service Account
- Go to
APIs & Services\Credentialsusing https://console.cloud.google.com/apis/credentials - Click
Create CredentialsandSelect Service Account Key - Choose Service account in drop-down list for which External (user managed) Service Account key needs to be created
- Select desired key type format among
JSONorP12 - Click
Create. It will downloadprivate key. Keep it safe. - Click
Closeif prompted - It will redirect to
APIs & Services\Credentialspage. Make a note of NewIDdisplayed in sectionService account keys
Impact
Rotating service account key will break communication for depending applications. Dependent applications needs to configured manually with new key id displayed in section Service account keys and private key downloaded by user.
Default Value
GCP does not provides automation option for External (user managed) Service key rotation.
References:
- https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys
- https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list
- https://cloud.google.com/iam/docs/service-accounts
Notes
For user-managed Service Account key(s), key management is entirely users responsibility.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}
