Control: 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Description
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
Remediation
From Console
Delete any external (user-managed) Service Account Key older than 90 days:
- Go to GCP console at
APIs & Services\Credentials
using https://console.cloud.google.com/apis/credentials. - In the Section
Service Account Keys
, for every external (user-managed) service account key wherecreation date
is greater than or equal to the past 90 days, clickDelete Bin Icon
toDelete Service Account key
.
Create a new external (user-managed) Service Account Key for a Service Account:
- Go to
APIs & Services\Credentials
using https://console.cloud.google.com/apis/credentials. - Click
Create Credentials
and SelectService Account Key
. - Choose the service account in the drop-down list for which an External (user-managed) Service Account key needs to be created.
- Select the desired key type format among
JSON
orP12
. - Click
Create
. It will download theprivate key
. Keep it safe. - Click
Close
if prompted. - The site will redirect to the
APIs & Services\Credentials
page. Make a note of the newID
displayed in theService account keys
section.
Default Value
GCP does not provide an automation option for External (user-managed) Service key rotation.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v300_1_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v300_1_7 --share
SQL
This control uses a named query:
iam_service_account_key_age_90