Service Account Key Creation Not Disabled

ID: gcloud-org-service-account-key-creation

Severity: high

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,resourcemanager,security,iam,service-account,gcp-cloud-config

Description

Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the “Disable Service Account Key Creation” organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.

YAML Source

id: gcloud-org-service-account-key-creation

info:
  name: Service Account Key Creation Not Disabled
  author: princechaddha
  severity: high
  description: |
    Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the "Disable Service Account Key Creation" organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.
  impact: |
    User-managed keys are extremely powerful credentials, and they can pose a security risk if they are not managed correctly. If the user-managed service account keys are compromised, anyone who has access to these credentials will be able to access your GCP resources through their associated service account.
  remediation: |
    Enable the "Disable Service Account Key Creation" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the iam.disableServiceAccountKeyCreation constraint.
  reference:
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/disable-service-account-key-creation.html
    - https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
  tags: cloud,devops,gcp,gcloud,resourcemanager,security,iam,service-account,gcp-cloud-config

flow: |
  code(1)
  for(let orgId of iterate(template.orgIds)){
    set("orgId", orgId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud organizations list --format="json(name)"

    extractors:
      - type: json
        name: orgIds
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha resource-manager org-policies describe iam.disableServiceAccountKeyCreation --organization=$orgId --effective --format="json(booleanPolicy)"

    matchers:
      - type: word
        words:
          - "{}"

    extractors:
      - type: dsl
        dsl:
          - '"Organization " + orgId + " has not disabled service account key creation, allowing users to create unmanaged keys"'
# digest: 4b0a00483046022100de7c9ee928092255091497632796341967bd78e6c59bb6cf10c1937ed6a1178e022100b21ea4609f809edd6531d45ad1ae22cde5e6cb6f604cbe4d07756c69b81700b0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "cloud/gcp/resourcemanager/gcloud-org-service-account-key-creation.yaml"

View on Github