lacework-global-237
1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer (Automated)
Profile Applicability
• Level 1
Description
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.
Rationale
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google). With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.
Impact
Rotating service account keys will break communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the Service account keys section and the private key downloaded by the user.
Audit
From Console:
Go to
APIs & Services\Credentialsusinghttps://console.cloud.google.com/apis/credentialsIn the section
Service Account Keys, for every External (user-managed) service account key listed ensure thecreation dateis within the past 90 days.
From Command Line:
- List all Service accounts from a project.
gcloud iam service-accounts list
- For every service account list service account keys.
gcloud iam service-accounts keys list --iam-account [Service_Account_Email_Id] --format=json
- Ensure every service account key for a service account has a
"validAfterTime"value within the past 90 days.
Remediation
From Console:
Delete any external (user-managed) Service Account Key older than 90 days:
Go to
APIs & Services\Credentialsusinghttps://console.cloud.google.com/apis/credentialsIn the Section
Service Account Keys, for every external (user-managed) service account key wherecreation dateis greater than or equal to the past 90 days, clickDelete Bin IcontoDelete Service Account key
Create a new external (user-managed) Service Account Key for a Service Account:
Go to
APIs & Services\Credentialsusinghttps://console.cloud.google.com/apis/credentialsClick
Create Credentialsand SelectService Account Key.Choose the service account in the drop-down list for which an External (user-managed) Service Account key needs to be created.
Select the desired key type format among
JSONorP12.Click
Create. It will download theprivate key. Keep it safe.Click
Closeif prompted.The site will redirect to the
APIs & Services\Credentialspage. Make a note of the newIDdisplayed in theService account keyssection.
References
https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list
https://cloud.google.com/iam/docs/service-accounts
Additional Information
For user-managed Service Account key(s), key management is entirely the user's responsibility.