API Keys Should Only Exist for Active Services
ID: gcloud-api-keys-inactive-services
Severity: low
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
Description
Section titled “Description”Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. API keys are simple encrypted strings that can be used when calling certain APIs which don’t need to access private user data. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted.
YAML Source
Section titled “YAML Source”id: gcloud-api-keys-inactive-services
info: name: API Keys Should Only Exist for Active Services author: princechaddha severity: low description: | Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted. impact: | Using API keys for inactive services can expose your applications to unnecessary security risks. It is advisable to employ standard authentication methods and ensure that API keys are used judiciously and only for active services. remediation: | Review and ensure that API keys are only configured for active services. Delete or disable API keys associated with inactive or unnecessary services to minimize security risks. reference: - https://cloud.google.com/docs/authentication/api-keys tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud alpha services api-keys list --project=$projectId --format="json(uid)"
matchers: - type: word words: - 'uid'
extractors: - type: json name: uid internal: true json: - '.[].uid'
- type: dsl dsl: - '"Inactive API Key found: UID: " + uid + " in Project: " + projectId'# digest: 490a0046304402207d9636d01e08f534fa218db024859e2229a20f9545b6dda783fb652284e64785022049b4893759d0e724f60c748db1d8d00f7499c3830638f2d6d16bdd41043ee5e9:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/api/gcloud-api-keys-inactive-services.yaml"