Disable Service Account Key Upload

Risk Level: Medium (should be achieved)

Ensure that user-managed service account key upload is disabled within your Google Cloud project, folder, or the entire organization, through the "Disable Service Account Key Upload" organization policy. This allows you to control the upload process of unmanaged long-term credentials for your Cloud IAM service accounts. By default, users can upload keys to service accounts based on their Cloud IAM roles and permissions.

Security

User-managed keys are extremely powerful credentials and they can pose a security risk if they are not managed correctly. If the user-managed service account keys are compromised, anyone who has access to these credentials will be able to access your Google Cloud Platform (GCP) resources through their associated service account. You can limit their use by applying the "Disable Service Account Key Upload" organization policy to projects, folders, or your entire organization. Once this resource constraint is active, you can enable user-managed key upload in well-controlled environments, to minimize the potential risk caused by unmanaged keys.

Note: As example, this conformity rule demonstrates how to disable the upload feature for new user-managed service account keys at the Google Cloud organization level.

Audit

To determine if user-managed service account key upload is disabled for your GCP organizations, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Disable Service Account Key Upload to return the "Disable Service Account Key Upload" policy.

06 Click on the name of the organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the policy is not enforced within your organization, therefore the upload of user-managed (external) service account keys is not disabled for the selected Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account:

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Disable Service Account Key Upload" policy, available for the selected organization:

gcloud alpha resource-manager org-policies describe "iam.disableServiceAccountKeyUpload"
    --effective
    --organization=112233441122
    --format="table(booleanPolicy)"

04 The command request should return the requested configuration information:

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, as shown in the example above, the "Disable Service Account Key Upload" policy is not enforced at the organization level, therefore the upload of user-managed (external) service account keys is not disabled for the selected Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

To ensure that Cloud IAM service account key upload is disabled within your Google Cloud organization, enforce the "Disable Service Account Key Upload" organization policy by performing the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

05 Click inside the Filter by policy name or ID box, select Name and Disable Service Account Key Upload to list only the "Disable Service Account Key Upload" policy.

06 Click on the name of the organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following actions:

Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
Under Enforcement, select On to enforce policy constraint. This constraint disables the upload of user-managed keys for Cloud IAM service accounts within the selected Google Cloud organization.
Click SAVE to apply the changes and enforce the "Disable Service Account Key Upload" policy constraints.

09 If required, repeat steps no. 2 – 8 to enable the necessary policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Disable Service Account Key Upload" policy (i.e. "iam.disableServiceAccountKeyUpload" constraint) for the selected organization:

gcloud alpha resource-manager org-policies enable-enforce "iam.disableServiceAccountKeyUpload"
    --organization=112233441122

02 The command request should return the reconfigured organization policy metadata:

booleanPolicy:
  enforced: true
constraint: constraints/iam.disableServiceAccountKeyUpload
etag: abcdabcdabcd
updateTime: '2020-09-02T10:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the required policy for other organizations created within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Cloud Identity and Access Management (IAM)
Service accounts
Creating and managing service account keys
Restricting service account usage

GCP Command Line Interface (CLI) Documentation
gcloud organizations list
gcloud alpha resource-manager org-policies describe
gcloud alpha resource-manager org-policies enable-enforce

Publication date May 10, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Disable Service Account Key Upload

Risk Level: Medium

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ResourceManager rules