Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
Google Cloud API keys are simple encrypted strings that don't identify the user or the application that performs the API request. These keys are typically accessible to clients, as they can be viewed publicly from within a browser, making it easy to discover and steal API keys. Considering these potential risks, Google suggests using the standard authentication flow instead of API keys. Nonetheless, there are specific scenarios where API keys are more suitable. For instance, if there is a mobile application that solely requires access to the Google Cloud Translation API without the need for a backend server, API keys provide the most straightforward authentication method available. To follow cloud security best practices and reduce the attack surface, Google Cloud API keys should be restricted only to trusted and reliable hosts, HTTP referrers, and Android/iOS mobile applications.
Audit
To ensure that your API key usage is restricted to trusted hosts and applications only, perform the following operations:
Remediation / Resolution
To enable and configure application restrictions for your Google Cloud API keys, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Authentication at Google
- Authenticate using API keys
- CIS Security Documentation
- Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud alpha services api-keys list
- gcloud alpha services api-keys describe
- gcloud alpha services api-keys update
- gcloud alpha services api-keys delete
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for API Key Application Restrictions
Risk Level: Medium