Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure that there are only GCP-managed service account keys for each service account

Description

User managed service accounts should not have user-managed keys.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.iam_service_account_gcp_managed_key

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.iam_service_account_gcp_managed_key --share

SQL

This control uses a named query:

with service_account_key as (
  select
    distinct service_account_name
  from
    gcp_service_account_key
  where
    key_type = 'USER_MANAGED'
)
select
  'https://iam.googleapis.com/v1/projects/' || project || '/serviceAccounts/' || name as resource,
  case
    when name like '%iam.gserviceaccount.com' and name in (select service_account_name from service_account_key) then 'alarm'
    else 'ok'
  end as status,
  case
    when name like '%iam.gserviceaccount.com' and name in (select service_account_name from service_account_key)
      then title || ' has user-managed keys.'
    else title || ' does not have user-managed keys.'
  end as reason
  , project as project
from
  gcp_service_account;

Tags

category = Compliance
plugin = gcp
service = GCP/IAM