Ensure that your Google Cloud Platform (GCP) user-managed service accounts are using GCP-managed keys instead of user-managed keys for authentication. For user-managed key pairs, key management operations such as key storage, key distribution, key revocation, key recovery and key rotation, as well as key protection against unauthorized access, are your responsibilities.
Anyone who has access to your user-managed keys will be able to access GCP resources through their associated service accounts. Deleting unwanted user-managed service account keys will significantly reduce the chances that a compromised set of keys can be used without your knowledge to access certain Google Cloud components and resources.
Note: Deleting user-managed service account keys may break communication with the applications that are using the corresponding keys. Make sure that your key pairs are reviewed before removal.
To determine if your GCP service accounts are using user-managed keys, perform the following operations:
Remediation / Resolution
To delete any user-managed keys associated with your Google Cloud Platform (GCP) service accounts, perform the following actions:
- Google Cloud Platform (GCP) Documentation
- Cloud Identity and Access Management (IAM)
- Service accounts
- Creating and managing service account keys
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Delete User-Managed Service Account Keys
Risk level: Medium