Profile Applicability:
Level 2
Description:
API keys should be rotated every 90 days to minimize the risk of unauthorized access. While API keys can be useful in specific scenarios, they are less secure compared to standard authentication methods. Regular rotation of API keys reduces the likelihood of compromised keys being misused.
Rationale:
The security risks associated with API keys include:
Simple encrypted strings: API keys can be easily stolen if exposed in client environments like browsers or mobile devices.
No identification: API keys do not associate requests with users or applications, limiting accountability.
No expiration: API keys remain active indefinitely unless manually revoked or regenerated, creating long-term security risks if stolen.
Rotating API keys ensures that:
Keys are updated regularly to reduce the risk of long-term exposure.
Stolen or compromised keys have a limited window of use.
Impact:
Regenerating an API key may disrupt client applications that rely on the old key. Update all clients with the new key to maintain functionality.
Default Value:
By default, there is no automated mechanism to rotate API keys periodically.
Audit Steps:
Using Google Cloud Console:
Navigate to APIs & Services > Credentials: GCP Credentials Console.
For each API key:
Check the creation date under the API Keys section.
Ensure the key was created or last rotated within the last 90 days.
Using Google Cloud CLI:
List all API keys for the project:
gcloud services api-keys list
Verify that the createTime for each key is within the last 90 days.
Remediation Steps:
Using Google Cloud Console:
Navigate to APIs & Services > Credentials: GCP Credentials Console.
For each API key:
Click the API Key Name to open its properties.
Click REGENERATE KEY to generate a new key
Save the changes and update all client applications with the new key.
Repeat the process for all API keys older than 90 days.
Using Google Cloud CLI:
Since there is no direct gcloud command to regenerate API keys, follow these steps:
List Existing Keys:
gcloud services api-keys list
Create a New Key:
gcloud alpha services api-keys create --display-name="<new_key_name>"
Note the UID of the new key.
Add Restrictions to the New Key:
gcloud alpha services api-keys update <NEW_KEY_UID> --restrictions="<restriction_flags>"
1. Refer to the Google API Key Restrictions Documentation for details on flags.
Delete the Old Key:
gcloud alpha services api-keys delete <OLD_KEY_UID>
Backout Plan:
1. Restore an API Key (If Necessary)
If an API key was deleted prematurely, create a new key:
gcloud services api-keys create --display-name="Restored API Key"
Ensure API key restrictions are applied properly!
2. Restore IAM Policy from Backup
If needed, restore a previous IAM policy:
gcloud projects set-iam-policy PROJECT_ID policy-backup.json
References: