Control: Project should not have use api keys
Description
API keys are best reserved for situations where no alternative authentication methods are available. Within a project, there may be lingering, unused keys that still retain their permissions. The inherent insecurity of keys arises from their susceptibility to public exposure, either through web browsers or when residing on a device. It is advisable to prioritize the adoption of conventional authentication mechanisms over the reliance on API keys.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.project_no_api_keySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.project_no_api_key --shareSQL
This control uses a named query:
with project_api_key as ( select project, count(*) as api_key_count from gcp_apikeys_key group by project), gcp_projects as ( select self_link, name, project_id from gcp_project)select p.self_link as resource, case when k.api_key_count > 0 then 'alarm' else 'ok' end as status, case when k.api_key_count > 0 then p.name || ' has ' || k.api_key_count || ' api key(s).' else p.name || ' has no api key(s).' end as reason , project_id as projectfrom gcp_projects as p left join project_api_key as k on k.project = p.project_id;