Ensure unrestricted API keys are not available within your GCP projects

API keys are unrestricted by default. Unrestricted keys are insecure because they can be used by anyone from anywhere. For production applications, you should set both application restrictions and API restrictions.

Risk Level: High
Cloud Entity: GCP API Key
CloudGuard Rule ID: D9.GCP.IAM.29
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

APIKey should not have restrictions isEmpty()

REMEDIATION

From Portal

  1. Sign in to the Google Cloud Management Console.
  2. Select the GCP project and navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.
  3. In the main navigation panel, select Credentials to access the list of the API keys.
  4. Click the API key that you want to modify.
  5. On the selected API key page, within the Application restrictions section, perform one of the following steps, based on your application requirements.

A. Select HTTP referrers (web sites), choose ADD AN ITEM under Website restrictions, and type the trusted HTTP referrer that can use the selected API key in the New item text box. Choose DONE to apply the changes. An HTTP referrer can be a trusted domain (e.g. www.example.com), a specific URL with an exact path (e.g. www.example.com/path), any URL within a single subdomain (e.g. sub.example.com/), an URL with a non-standard port such as www.example.com:8000/, or any subdomain or path URL within a single domain, using wildcards [*] (e.g. .example.com/). If your trusted domain supports both HTTP and HTTPS, both restrictions must be added separately. Do not set the following HTTP referrers (using wildcard): or .[TLD] or .[TLD]/, where [TLD] represents the top-level domain, as these referrers allow access to wide HTTP referrers. Use HTTP referrers for API clients that run on a web browser, so that only the specified URLs can call the API.

B. Select IP addresses (web servers, cron jobs, etc.), choose ADD AN ITEM under Accept requests from these server IP addresses, and specify one IPv4, IPv6 or a subnet using CIDR notation (e.g. 172.16.0.0/12) in the New item text box. Choose DONE to apply the changes. Don't use the following IPv4/IPv6 addresses: 0.0.0.0, 0.0.0.0/0 or ::0, as these referrers allow access to any hosts and translates to unrestricted access. Use specific IP addresses to limit API key access to trusted hosts only.

C. Select Android apps, choose ADD AN ITEM under Restrict usage to your Android apps, then specify the app package name and the required SHA-1 signing-certificate fingerprint in the New item text boxes. Choose DONE to apply the changes. This application restriction option requires adding your Android app package name and its signing-certificate fingerprint.

D. Select iOS apps, choose ADD AN ITEM under Accept requests from an iOS application with one of these bundle identifiers, then type the required iOS bundle identifier (ID) in the New item text box. Choose DONE to apply the configuration changes. This option requires adding at least one iOS bundle identifier (ID) in order to restrict API calls to specific iOS bundles.

  1. Choose SAVE, once the necessary application restriction is configured for the selected API key.

From Command Line
Run following command to enable application restrictions (by updating the configuration of the specified API key).

a. Use the --allowed-ips parameter to specify the allowed IP addresses as server key restrictions for the selected API key.
b. Use the --allowed-referrers parameter to enable allowed referrers restriction for the selected key.
To update key's allowed Android application, use the --allowed-application parameter.
c. Use the --allowed-bundle-ids command parameter to update API key's allowed iOS app bundle id.

gcloud alpha services api-keys update (KEY : --location=LOCATION) [--async] [--display-name=DISPLAY_NAME] [--annotations=[KEY=VALUE]     | --clear-annotations] [--clear-restrictions     | --api-target=service=SERVICE,[] --allowed-application=[sha1_fingerprint=SHA1_FINGERPRINT,package_name=PACKAGE_NAME]     | --allowed-bundle-ids=[ALLOWED_BUNDLE_IDS]     | --allowed-ips=[ALLOWED_IPS]     | --allowed-referrers=[ALLOWED_REFERRERS]] [GCLOUD_WIDE_FLAG]

References

  1. https://cloud.google.com/docs/authentication/api-keys
  2. https://cloud.google.com/docs/authentication/api-keys#console_1
  3. https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update

GCP API Key

An API key is a simple encrypted string that you can use when calling Google Cloud APIs. A typical use of an API key is to pass the key into a REST API call as a query parameter.
API keys are useful for accessing public data anonymously, and are used to associate API requests with the consumer Google Cloud project for quota and billing.
API Keys provides you a programmatic interface to create and manage API keys for your project. It provides you more control over API keys than the API key-related tasks that you can do in the Cloud Console.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP NIST 800-53 Rev 5