Profile Applicability:

Level 1:

Description:

Service accounts should not use user-managed keys. Only GCP-managed keys should be used to enhance security and streamline key management.

Rationale:

GCP-managed keys are automatically handled by Google Cloud, ensuring:

  1. Secure storage and automatic rotation (approximately weekly).

  2. Mitigation of risks from key leakage due to common development practices, such as checking keys into source code or storing them in insecure locations.

In contrast, user-managed keys require the user to handle critical activities, including: Key storage and distribution, Key revocation and rotation and Protecting keys from unauthorized access and recovery. Improper management can lead to accidental exposure or compromise, increasing the risk of unauthorized access to resources.

Impact:

Deleting user-managed service account keys can disrupt applications relying on these keys. It is essential to review dependencies before removing them.

Default Value:

By default, GCP does not create user-managed keys for service accounts.

Remediation:

Test Plan:

Using the Google Cloud Console:

  1. Navigate to the IAM page: https://console.cloud.google.com/iam-admin/iam.

                                                             

  1. In the left navigation pane, select Service accounts to view all accounts and their corresponding keys.

                                                                   

  1. Inspect each service account to check for user-managed keys.

Using Google Cloud CLI:
List all service accounts: 

gcloud iam service-accounts list

Identify user-managed service accounts with keys: 

gcloud iam service-accounts keys list --iam-account=<SERVICE_ACCOUNT_EMAIL> --managed-by=user

Verify no keys are listed.


Implementation:

Using the Google Cloud Console:

  1. Navigate to the IAM page: https://console.cloud.google.com/iam-admin/iam.

  2. In the left navigation pane, click Service accounts.

                                                             

  1. Select the service account with user-managed keys.

             

  1. Click Edit, locate the keys, and delete them.

Using Google Cloud CLI:

Delete user-managed service account keys:

gcloud iam service-accounts keys delete <KEY_ID> --iam-account=<SERVICE_ACCOUNT_EMAIL>

Backout Plan:

1. Recreate a Service Account Key (If Needed)

If a removed key was required:

gcloud iam service-accounts keys create <NEW_KEY_FILE>.json --iam-account=<SERVICE_ACCOUNT_EMAIL>

  • Store it securely in Google Secret Manager or Cloud KMS.

2. Revert Policy Enforcement (Temporarily)

If needed, temporarily allow user-managed keys

gcloud resource-manager org-policies disable-enforce constraints/iam.disableServiceAccountKeyCreation --organization=ORG_ID

  •   Re-enable enforcement once the issue is resolved.

References:

  1. Understanding and Managing Service Account Keys


CIS Controls:

Control

Description

IG 1

IG 2

IG 3

ExplicitlyNot Mapped

No explicit mapping to CIS Controls.