Profile Applicability:

Level 2

Description:

API keys should only be used in scenarios where alternative authentication methods are unavailable. Unrestricted API keys are insecure as they can be exposed in client-side environments or accessed on devices, making them susceptible to theft. To mitigate risks, API key usage should be restricted to trusted hosts, HTTP referrers, or specific applications.

Rationale:

The use of unrestricted API keys poses significant security risks:

  1. API keys are simple encrypted strings that can be easily discovered if exposed.

  2. No user or application identification is associated with API key-based requests, limiting accountability.

  3. Client-side accessibility makes it easy for attackers to steal keys from browsers, devices, or logs.

To reduce attack vectors, API keys should be restricted to specific and trusted hosts, IP addresses, or applications. While Google recommends using standard authentication methods over API keys, certain use cases (e.g., mobile apps) may require API keys. In such cases, applying restrictions minimizes the risks.

Impact:

Applying restrictions may disrupt existing applications if not carefully implemented. Ensure restrictions are configured to allow access only to required hosts, referrers, or apps.

Default Value:

By default, Application Restrictions are set to "None" for API keys, allowing unrestricted access.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to APIs & Services > Credentials: GCP Credentials Console.

                                   

  1. For each API key:

    • Click the API Key Name to view its properties.

                     

  • Verify that the Key restrictions section under Application restrictions is not set to "None."

                                   

  • If set to HTTP referrers, ensure no wildcards (**.[TLD]*.[TLD]/*) are used.

  • If set to IP addresses, ensure no unrestricted addresses are configured (e.g., 0.0.0.00.0.0.0/0::0).

Using Google Cloud CLI:

List all API keys for the project:

gcloud services api-keys list --filter="-restrictions:*" --format="table[box](displayName:label='Key With No Restrictions')"

  1. Ensure the output does not include any unrestricted API keys.

Remediation Steps:

Restricting Existing API Keys (Using Google Cloud Console):

  1. Go to APIs & Services > Credentials: GCP Credentials Console

                           

  1. For each API key:

    • Click the API Key Name to view its properties.

  • In the Key restrictions section, set restrictions to one of the following:
                           

  • HTTP referrers: Specify trusted referrers. Avoid using wildcards like * or *.[TLD].

  • IP addresses: Specify allowed IP addresses. Avoid 0.0.0.00.0.0.0/0, or ::0.

                                               

  • Android apps or iOS apps: Specify the application packages or bundle IDs.

                                             

  • Click Save after making changes.

                                               

3 . Removing Unused API Keys (Using Google Cloud Console):

  1. Identify unused API keys.

  2. Select the checkbox next to each key and click Delete. Confirm the deletion when prompted.

                     

Using Google Cloud CLI:

List API keys to identify unrestricted ones: 

gcloud services api-keys list --filter="-restrictions:*"

Update the restrictions for an API key:

gcloud alpha services api-keys update <API_KEY_ID> \
  --restrictions='type:HTTP_REFERRER,referrers:YOUR_TRUSTED_REFERRERS'

Delete unused keys:

gcloud alpha services api-keys delete <API_KEY_ID>

References:

  1. Using API Keys for Authentication

  2. Listing API Keys with Restrictions

  3. Updating API Key Restrictions

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

16.10 Apply Secure Design Principles

Ensure application architectures follow secure design principles, including least privilege, input validation, and minimizing attack surface.

Explicitly Not Mapped

Not explicitly mapped in CIS v7 controls.