Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
Managing your own service account keys will result higher change for key exposure. You should avoid using user managed keys.
Risk Level: High
Cloud Entity: Service Account
CloudGuard Rule ID: D9.GCP.IAM.04
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
ServiceAccount where name unlike '%CloudGuard%' or (name like '%CloudGuard%' and roles contain-any [not $ in ('roles/viewer', 'roles/iam.securityReviewer')]) should not have keys with [ managedBy = 'User' ]
REMEDIATION
From Portal
- Go to the IAM page in the GCP Console using https://console.cloud.google.com/iam-admin/iam
- In the left navigation pane, click
Service accounts
. All service accounts and their corresponding keys are listed. - Click the service account.
- Click the
edit
and delete the keys.
From Command Line
Run
gcloud iam service-accounts keys delete --iam-account=USER_MANAGED_SERVICE_ACCOUNT_EMAIL KEY_ID
References
- https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/delete
- https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_accounts
Service Account
A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP CloudGuard CheckUp
- GCP GDPR Readiness
- GCP HIPAA
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated over 1 year ago