Profile Applicability:

Level 1

Description:

Service accounts should not use user-managed keys. Only GCP-managed keys should be used to enhance security and streamline key management.

Rationale:

GCP-managed keys are automatically handled by Google Cloud, ensuring:

  1. Secure storage and automatic rotation (approximately weekly).

  2. Mitigation of risks from key leakage due to common development practices, such as checking keys into source code or storing them in insecure locations.

In contrast, user-managed keys require the user to handle critical activities, including: Key storage and distribution, Key revocation and rotation and Protecting keys from unauthorized access and recovery. Improper management can lead to accidental exposure or compromise, increasing the risk of unauthorized access to resources.

Impact:

Deleting user-managed service account keys can disrupt applications relying on these keys. It is essential to review dependencies before removing them.

Default Value:

By default, GCP does not create user-managed keys for service accounts.

Audit Steps:

Using the Google Cloud Console:

  1. Navigate to the IAM page: https://console.cloud.google.com/iam-admin/iam.

                                                             

  1. In the left navigation pane, select Service accounts to view all accounts and their corresponding keys.

                                                                   

  1. Inspect each service account to check for user-managed keys.

Using Google Cloud CLI:

List all service accounts: 

gcloud iam service-accounts list

Identify user-managed service accounts with keys: 

gcloud iam service-accounts keys list --iam-account=<SERVICE_ACCOUNT_EMAIL> --managed-by=user

Verify no keys are listed.

Remediation Steps:

Using the Google Cloud Console:

  1. Navigate to the IAM page: https://console.cloud.google.com/iam-admin/iam.

  2. In the left navigation pane, click Service accounts.

                                                             

  1. Select the service account with user-managed keys.

             

  1. Click Edit, locate the keys, and delete them.

Using Google Cloud CLI:

Delete user-managed service account keys:

gcloud iam service-accounts keys delete <KEY_ID> --iam-account=<SERVICE_ACCOUNT_EMAIL>

Prevention:

  1. Disable User-Managed Service Account Key Creation: Enable the Disable service account key creation organization policy to block user-managed keys. Disable Service Account Key Creation.

  2. Disable Service Account Creation (if not required): Prevent service account creation by enabling the Disable service account

  3. Creation organization policy: Disable Service Account Creation.

References:

  1. Understanding and Managing Service Account Keys

  2. Restricting Service Accounts with Policies

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

ExplicitlyNot Mapped

No explicit mapping to CIS Controls.