Profile Applicability:
Level 2
Description:
API keys should be limited to accessing only the APIs necessary for the application’s functionality. Unrestricted API keys can expose all Google Cloud APIs, increasing the risk of unauthorized access and misuse. It is recommended to restrict API key usage to specific APIs required by the application.
Rationale:
The use of API keys poses several security risks:
Simple encrypted strings: API keys can be easily discovered and stolen if exposed in client environments like browsers or mobile devices.
No identification: API keys do not identify users or applications, limiting accountability.
Broad access: Unrestricted keys can call any Google Cloud API, increasing the risk of misuse.
Google recommends using standard authentication methods whenever possible. For limited cases where API keys are required (e.g., mobile apps using the Translation API without a backend), applying API restrictions minimizes attack surfaces.
Impact:
Setting API restrictions may disrupt application functionality if not carefully configured. Ensure that API keys are restricted to only the APIs required for proper application operation.
Default Value:
By default, API restrictions are set to "None," allowing unrestricted access to all APIs.
Audit Steps:
Using Google Cloud Console:
Navigate to APIs & Services > Credentials: GCP Credentials Console.
For each API key:
Click the API Key Name to view its properties.
Verify that the Key restrictions section under API restrictions is not set to "None."
Ensure it is not set to Google Cloud APIs, which allows access to all APIs.
Using Google Cloud CLI:
List all API keys for the project:
gcloud services api-keys list
Check for unrestricted keys:
Verify that the restrictions: parameter is present for each key.
Ensure the apiTargets parameter does not include service: cloudapis.googleapis.com, which grants access to all APIs.
Remediation Steps:
Using Google Cloud Console:
Navigate to APIs & Services > Credentials: GCP Credentials Console.
For each API key:
Click the API Key Name to open its properties.
Under Key restrictions, go to the API restrictions section.
Click Select API and choose the required API(s) from the dropdown menu.
Save the changes.
Using Google Cloud CLI:
List all API keys:
gcloud services api-keys list
Update the API restrictions for a key:
gcloud alpha services api-keys update <API_KEY_ID> --api-targets=service=<service.com>
Example:
gcloud alpha services api-keys update <API_KEY_ID> --api-targets=service=translate.googleapis.com