Profile Applicability:

Level 2

Description:

API keys should be rotated every 90 days to minimize the risk of unauthorized access. While API keys can be useful in specific scenarios, they are less secure compared to standard authentication methods. Regular rotation of API keys reduces the likelihood of compromised keys being misused.

Rationale:

The security risks associated with API keys include:

  • Simple encrypted strings: API keys can be easily stolen if exposed in client environments like browsers or mobile devices.

  • No identification: API keys do not associate requests with users or applications, limiting accountability.

  • No expiration: API keys remain active indefinitely unless manually revoked or regenerated, creating long-term security risks if stolen.

Rotating API keys ensures that:

  1. Keys are updated regularly to reduce the risk of long-term exposure.

  2. Stolen or compromised keys have a limited window of use.

Impact:

Regenerating an API key may disrupt client applications that rely on the old key. Update all clients with the new key to maintain functionality.

Default Value:

By default, there is no automated mechanism to rotate API keys periodically.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to APIs & Services > Credentials: GCP Credentials Console.

                                 

  1. For each API key:

    • Check the creation date under the API Keys section.

                     

  • Ensure the key was created or last rotated within the last 90 days.

Using Google Cloud CLI:

List all API keys for the project:

gcloud services api-keys list
  1. Verify that the createTime for each key is within the last 90 days.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to APIs & Services > Credentials: GCP Credentials Console.

                                               

  1. For each API key:

    • Click the API Key Name to open its properties.

                     

  • Click REGENERATE KEY to generate a new key

  • Save the changes and update all client applications with the new key.

  1. Repeat the process for all API keys older than 90 days.

Using Google Cloud CLI:
Since there is no direct gcloud command to regenerate API keys, follow these steps:

List Existing Keys:

gcloud services api-keys list

Create a New Key:

gcloud alpha services api-keys create --display-name="<new_key_name>"
  1. Note the UID of the new key.

Add Restrictions to the New Key:

gcloud alpha services api-keys update <NEW_KEY_UID> --restrictions="<restriction_flags>"

        1. Refer to the Google API Key Restrictions Documentation for details on flags.

Delete the Old Key:

gcloud alpha services api-keys delete <OLD_KEY_UID>

Backout Plan:

1. Restore an API Key (If Necessary)

If an API key was deleted prematurely, create a new key:

gcloud services api-keys create --display-name="Restored API Key"

Ensure API key restrictions are applied properly!

2. Restore IAM Policy from Backup

If needed, restore a previous IAM policy:

gcloud projects set-iam-policy PROJECT_ID policy-backup.json

References:

  1. Best Practices for Regenerating API Keys

  2. Managing API Keys Using gcloud

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

16.10 Apply Secure Design Principles

Enforce secure design principles, including least privilege and periodic key rotation, to minimize attack surface areas.

Explicitly Not Mapped

Not explicitly mapped in CIS v7 controls.