Control: Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Description
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.iam_service_account_key_age_90Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.iam_service_account_key_age_90 --shareSQL
This control uses a named query:
select 'https://iam.googleapis.com/v1/projects/' || project || '/serviceAccounts/' || service_account_name || '/keys/' || name as resource, case when valid_after_time <= (current_date - interval '90' day) then 'alarm' else 'ok' end as status, service_account_name || ' ' || name || ' created ' || to_char(valid_after_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - valid_after_time) || ' days).' as reason , project as projectfrom gcp_service_account_keywhere key_type = 'USER_MANAGED';