Check for API Key Application Restrictions

Risk Level: Medium (should be achieved)

Rule ID: CloudAPI-002

Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Google Cloud API keys are simple encrypted strings that don't identify the user or the application that performs the API request. These keys are typically accessible to clients, as they can be viewed publicly from within a browser, making it easy to discover and steal API keys. Considering these potential risks, Google suggests using the standard authentication flow instead of API keys. Nonetheless, there are specific scenarios where API keys are more suitable. For instance, if there is a mobile application that solely requires access to the Google Cloud Translation API without the need for a backend server, API keys provide the most straightforward authentication method available. To follow cloud security best practices and reduce the attack surface, Google Cloud API keys should be restricted only to trusted and reliable hosts, HTTP referrers, and Android/iOS mobile applications.

Audit

To ensure that your API key usage is restricted to trusted hosts and applications only, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected GCP project.

05 Click on the name (link) of the API key that you want to examine to access the key properties.

06 On the selected API key page, check the host/application restriction option enabled in the Key restrictions section. Based on the selected restriction, determine if the selected API key usage is unrestricted:

If the host/application restriction is set to None, there is no restriction control enabled to specify which websites, IP addresses, or mobile applications can use the key, therefore the selected API key usage is unrestricted.
If the restriction is set to Websites, check the Website restrictions section for the list of websites that can use the selected API key. If the referrer is set to a wildcard, i.e. * or *.[TLD] or *.[TLD]/*, where [TLD] represents the top-level domain, there are no well-defined restrictions that specify which trusted websites can use your key, therefore the selected API key usage is unrestricted. Also, if the Website restrictions list is blank (no items), your API key will accept requests from any website, hence the API key usage is unrestricted.
If the host/application restriction is set to IP addresses, check the IP address restrictions section for the list of IPv4 or IPv6 addresses that can access the selected API key. If the referrer is set to any host, i.e. 0.0.0.0, 0.0.0.0/0 or ::0, there is no restriction control implemented to specify which host can use your key, therefore the selected API key usage is unrestricted.

07 Repeat steps no. 5 and 6 for each API key created for the selected Google Cloud Platform (GCP)project.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
  cc-webapp-112233
  cc-project5-111222

03 Run services api-keys list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the identifier of each active API key generated for the selected project:

gcloud alpha services api-keys list
  --project=cc-webapp-112233
  --format="table(uid)"

04 The command output should return the IDs of the active API keys:

UID: 
abcd1234-abcd-1234-abcd-1234abcd1234
1234abcd-1234-abcd-1234-abcd1234abcd

05 Run services api-keys describe command (Windows/macOS/Linux) using the ID of the API key that you want to examine as the identifier parameter and custom query filters to describe the API key host and application restrictions configured for the selected key:

gcloud alpha services api-keys describe abcd1234-abcd-1234-abcd-1234abcd1234
  --format="json(restrictions)"

06 Based on the services api-keys describe command output, you can determine if the use of the selected API key is unrestricted:

If the command output returns null, there is no restriction control enabled to specify which websites, IP addresses, or mobile applications can use the key, therefore the selected API key usage is unrestricted:
```
null
```
If the command output returns one or more HTTP referrers for API key application restrictions, as shown in the example above, check the "allowedReferrers" array for the list of domains that can use the selected API key. If the referrer is set to a wildcard, i.e. * or *.[TLD] or *.[TLD]/*, where [TLD] represents the top-level domain, there are no well-defined restrictions that specify which trusted websites can use your key, therefore the selected API key usage is unrestricted:
```
{
	"restrictions": {
		"browserKeyRestrictions": {
			"allowedReferrers": [
				"*.example.com"
			]
		}
	}
}
```
If the services api-keys describe command output returns one or more IPv4/IPv6 addresses for API key application restrictions, as shown in the example above, check the "allowedIps" array for the list of hosts that can access the selected API key. If the "allowedIps" is set to any host, i.e. 0.0.0.0, 0.0.0.0/0 or ::0, there is no restriction control implemented to specify which host can use your key, therefore the selected API key usage is unrestricted:
```
{
	"restrictions": {
		"serverKeyRestrictions": {
			"allowedIps": [
				"0.0.0.0/0"
			]
		}
	}
}
```

07 Repeat steps no. 5 and 6 for each API key generated for the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each project deployed within your cloud account.

Remediation / Resolution

To enable and configure application restrictions for your Google Cloud API keys, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected GCP project.

05 Click on the name (link) of the API key that you want to reconfigure.

06 On the selected API key page, in the Key restrictions section, perform one of the following sets of commands, based on your application needs:

Select Websites, choose ADD under Website restrictions, and type the trusted HTTP referrer that can use the selected API key in the Website text box. Choose DONE to apply the changes. An HTTP referrer can be a trusted domain ( e.g. example.com ), a specific URL with an exact path ( e.g. example.com/path ), any URL within a single subdomain ( e.g. subdomain.example.com/), an URL with a non-standard port ( e.g. example.com:8000/ ), or any subdomain or path URL within a single domain that is using wildcards (e.g. .example.com/ ). If your trusted domain supports both HTTP and HTTPS, both restrictions must be added separately. Do not set the following HTTP referrers (using wildcard): *or *.[TLD] or *.[TLD]/*, where [TLD] represents the top-level domain, as these referrers allow access to wide HTTP referrers. Use HTTP referrers for API clients that run on a web browser, so that only the specified URLs can call the API.
Select IP addresses, choose ADD under IP address restrictions, and specify one IPv4, IPv6, or a subnet using CIDR notation (e.g. 10.0.0.5/32) in the Address text box. Choose DONE to apply the changes. Don't use the following CIDRs for IPv4/IPv6 addresses: 0.0.0.0, 0.0.0.0/0 or ::0, as these referrers allow access to any hosts and translates to unrestricted access. Use specific IP addresses to limit API key access to trusted hosts only.
Select Android apps, choose ADD under Android restrictions, and specify the app package name and the required SHA-1 signing-certificate fingerprint in the Add Android app section. Choose DONE to apply the changes. This application restriction option requires adding your Android app package name and its signing-certificate fingerprint.
Select iOS apps, choose ADD under iOS restrictions then type the required iOS bundle identifier (ID) in the Add iOS app section. Choose DONE to apply the configuration changes. This option requires adding at least one iOS bundle identifier (ID) in order to restrict API calls to specific iOS bundles.

07 Choose SAVE to save the changes.

08 (Optional) You can also choose to remove the non-compliant key entirely. Select the API key that you want to remove and choose DELETE. In the Delete credential confirmation box, choose DELETE to confirm the key removal. Once deleted, the key can no longer be used to make API requests. For 30 days after deletion, you can restore your API key from the deleted credentials page.

09 Repeat steps no. 5 – 8 to enable and configure host/application restrictions for each API key created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable host/application restrictions. Use the --allowed-ips parameter to specify the allowed IP addresses as server key restrictions for the selected API key. Use the --allowed-referrers parameter to enable allowed referrers restriction for the selected key. To update key's allowed Android application, use the --allowed-application parameter and to update API key's allowed iOS app bundle id(s) use the --allowed-bundle-ids command parameter. As an example, the following services api-keys update command request enables restrictions using IPv4 addresses, therefore the API key access is restricted to the trusted IPs (hosts) specified within the --allowed-ips parameter value (e.g. 10.0.0.5 and 10.0.0.6):

gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
  --allowed-ips=10.0.0.5,10.0.0.6

02 The output should return the configuration information available for the updated API key:

Operation operations/akmf...abcd complete. Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2023-06-18T10:27:46.153370Z",
	"displayName":"cc-webapp-112233",
	"etag":"abcdabcdabcdabcdabcdab==",
	"name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
	"restrictions":{
		"serverKeyRestrictions":{
			"allowedIps":[
				"10.0.0.5",
				"10.0.0.6"
			]
		}
	},
	"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
	"updateTime":"2023-06-18T13:16:04.687488Z"
}

03 (Optional) You can also remove the non-compliant key entirely. Run services api-keys delete command (Windows/macOS/Linux) to remove the specified API key from your GCP project:

gcloud alpha services api-keys delete abcd1234-abcd-1234-abcd-1234abcd1234

04 The command output should return information about the deleted resource:

Operation operations/akmf...abcd complete. Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2023-06-19T13:12:06.025308Z",
	"deleteTime":"2023-06-19T13:05:28.205577Z",
	"displayName":"API key 1",
	"etag":"abcdabcdabcdabcdabcdab==",
	"name":"projects/683977297284/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
	"restrictions":{
		"serverKeyRestrictions":{
			"allowedIps":[
				"0.0.0.0/0"
			]
		}
	},
	"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
	"updateTime":"2023-06-19T14:05:28.237699Z"
}

05 Repeat steps no. 1 and 2 to enable and configure host/application restrictions for each API key generated for the selected GCP project.

06 Repeat steps no. 1 – 5 for each project deployed in your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Authentication at Google
Authenticate using API keys

CIS Security Documentation
Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud alpha services api-keys list
gcloud alpha services api-keys describe
gcloud alpha services api-keys update
gcloud alpha services api-keys delete

Publication date Jun 29, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Check for API Key Application Restrictions

Risk Level: Medium

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudAPI rules