Ensure that all your Google Cloud API keys are regularly regenerated (rotated) in order to meet security and compliance requirements. By default, it is recommended to rotate keys every 90 days. Google Cloud Platform (GCP) API keys are simple, encrypted strings that can be used when calling specific APIs that don't need to access private user data. API keys are typically used to track API requests associated with your GCP project for quota and billing.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
Once a Google Cloud API key is compromised, it can be used indefinitely unless the project owner revokes or regenerates that key. Rotating GCP API keys will substantially reduce the window of opportunity for exploits and ensure that data can't be accessed with an outdated key that might have been lost, cracked, or stolen.
Audit
To determine if your Google Cloud API keys are regularly rotated (i.e. every 90 days), perform the following operations:
Remediation / Resolution
To regenerate/rotate your Google Cloud API keys periodically (every 90 days), perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Authentication overview
- Using API keys
- API security best practices
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud alpha services api-keys list
- gcloud alpha services api-keys describe
- gcloud alpha services api-keys delete