Profile Applicability:

Level 2

Description:

API keys should only be used when other authentication methods are unavailable. Unused or inactive API keys can pose security risks if their permissions remain intact. It is recommended to use standard authentication methods whenever possible to mitigate these risks.

Rationale:

API keys are less secure than standard authentication methods because:

  • They are simple encrypted strings, easily accessible in client-side environments.

  • They do not identify the user or application making requests, making them susceptible to misuse.

  • They can be exposed publicly in browsers, mobile devices, or logs, increasing the likelihood of theft.

Unused API keys with active permissions increase the attack surface, so removing them improves security posture.

Impact:

Deleting an API key may disrupt dependent applications or services. Before removal, ensure the key is no longer in use.

Default Value:

By default, API keys are not created for Google Cloud projects.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to APIs & Services > Credentials at GCP Credentials Console.
                                    

  1. Review the API Keys section. Verify that each listed key is actively used by a service.

Using Google Cloud CLI:

List all API keys for the project:

gcloud services api-keys list --filter='state:ACTIVE'

  1. Verify that all listed keys are actively in use and associated with necessary services.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to APIs & Services > Credentials: GCP Credentials Console.
                                

  2. Identify unused API keys in the API Keys section.

  3. Delete unused keys by clicking the Delete (Trash) icon next to the API key.
            

Using Google Cloud CLI:

List active API keys:

gcloud services api-keys list --filter='state:ACTIVE'

Delete an unused API key:

gcloud alpha services api-keys delete <API_KEY_ID>

References:

  1. Using API Keys for Authentication

  2. Listing API Keys

  3. Google Cloud Authentication Overview

  4. Deleting API Keys

Additional Information:

Google recommends using standard authentication methods instead of API keys. However, in scenarios requiring API keys (e.g., mobile apps using the Google Cloud Translation API without a backend server), ensure the keys are properly secured and monitored.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

16.10 Apply Secure Design Principles

Implement secure design principles, including least privilege, explicit input validation, and minimizing infrastructure attack surface. 

16.8 Disable Any Unassociated Accounts

Ensure all accounts, including API keys, are tied to active business processes or owners. Unused accounts should be disabled.