Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. In Google Cloud, API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. API keys are usually accessible to clients, as they can be publicly viewed from within a browser, making them easy to discover by unauthorized personnel. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
Because only a limited number of Google Cloud Platform (GCP) services allow access using just API keys, without requiring another type of credentials, Google recommends using a standard authentication flow instead of API keys for most services and applications. Deleting API keys should enforce the use of secure authentication methods only and minimize the exposure to attacks.
Audit
To determine if your Google Cloud projects are using API keys for active services, perform the following operations:
Remediation / Resolution
API keys should be used solely for active services in situations where alternative authentication methods are not available, otherwise, they should be deleted. To remove any API keys associated with your Google Cloud Platform (GCP) projects, perform the following operations:
Ensure that your API keys are reviewed before removal as deleting API keys may break communication with the clients and/or applications that are using those keys.References
- Google Cloud Platform (GCP) Documentation
- Authentication at Google
- Authenticate using API keys
- CIS Security Documentation
- Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud alpha services api-keys list
- gcloud alpha services api-keys delete
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
API Keys Should Only Exist for Active Services
Risk Level: Low