Risk Level: High
Cloud Entity: Service Account
CloudGuard Rule ID: D9.GCP.IAM.07
Covered by Spectral: No
Category: Security, Identity, & Compliance
ServiceAccount should not have keys with [ (managedBy = 'User') and (validAfterTime before(-90, 'days')) ]
- Go to IAM & admin/Service-Account using 'https://console.cloud.google.com/iam-admin/serviceaccounts';
- For every service account where 'creation date' is greater than or equal to the past 90 days, click 'Action' >'Manage keys'
- Click 'Delete Bin Icon' to 'Delete Service Account key'
- Click DELETE
- Create a new key by clicking on ADD KEY > Create new key
- Select the desired key type format among 'JSON' or 'P12'.
- Click 'Create'. It will download the 'private key'. Keep it safe.
- Click 'Close' if prompted.
From Command Line
Delete external (user managed) Service Account Key older than 90 days:
gcloud iam service-accounts keys delete --iam-account=SERVICE_ACCOUNT_EMAIL KEY_ID
Create new Service Account Key:
gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.
- CloudGuard GCP All Rules Ruleset
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP GDPR Readiness
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated 3 months ago