Cloud Conformity API Keys Rotation (30 Days)

Risk Level: Medium (should be achieved)

Ensure that all your Cloud Conformity API keys are rotated every 30 days in order to decrease the likelihood of accidental exposure. An API key is a secure 64-bit strong key, randomly generated by Cloud Conformity engine on your behalf and utilized for operations such as registering new AWS accounts, collecting necessary checks, etc.

Security

Rotating API credentials periodically will significantly reduce the chances that a compromised set of keys can be used without your knowledge to access certain components and features within your Cloud Conformity account.

Note: You can have up to two API keys for your Cloud Conformity account at a time, which is useful when you want to rotate your API keys.

Audit

To determine if your Cloud Conformity account has any outdated (> 30 days) API keys in use, perform the following:

Using Cloud Conformity Console

01 Sign in to your Cloud Conformity account.

02 Navigate to API Keys dashboard at https://ap-southeast-2.cloudconformity.com/user/api - for Sydney, Australia region, at https://us-west-2.cloudconformity.com/user/api - for Oregon, US region or at https://eu-west-1.cloudconformity.com/user/api - for Ireland, Europe region.

03 Inside the API Keys section, in the Creation Date column: https://goo.gl/Kjv3oV, check for any API keys older than 30 days with the Status set to Enabled (active). If an active API key is older than 30 days, the key is outdated and needs to be changed in order to secure the access to your Cloud Conformity components and features.

04 Repeat steps no. 1 – 3 for each Cloud Conformity account that you want to examine.

Using Cloud Conformity CLI

01 Run curl command using your API key to query the Cloud Conformity endpoint in order to list all the API keys (and their metadata) created for your account. The valid endpoint URLs are: https://ap-southeast-2-api.cloudconformity.com/v1/api-keys (Sydney, Australia region), https://us-west-2-api.cloudconformity.com/v1/api-keys (Oregon, US region) and https://eu-west-1-api.cloudconformity.com/v1/api-keys (Ireland, Europe region):

curl -H "Authorization: ApiKey aaaBaaCccDdddeeefffaaaAAbbbccccDDDDeeeefffffaaaabbbcccccCCCddEEE" https://ap-southeast-2-api.cloudconformity.com/v1/api-keys

02 The command output should return the API keys currently available within your Cloud Conformity account:

{
	"data": [
		{
			"type": "api-keys",
			"id": "aaaabbbb-ccc",
			"attributes": {
				"created-date": 1503431580000,
				"status": "ENABLED",
				"last-used-date": 1510917837000
			},
			"relationships": {}
		}
	]
}

03 Run date command (Linux/UNIX) using the timestamp value (milliseconds) returned as value for the created-date attribute at the previous step, to convert it to a human readable date value:

date -d @$( echo "(1503431580000 + 500) / 1000" | bc)

04 The command output should return the requested date in human readable format:

Tue Aug 22 19:53:00 UTC 2017

br> Check the date returned by the command output for the active API key. An active API key should have the status attribute value set to "ENABLED". If the lifetime of the selected API key is greater than 30 days, the key is outdated and needs to be replaced in order to secure the access to your Cloud Conformity components and features.

05 Repeat step no. 3 and 4 for other active API keys available in your Cloud Conformity account.

06 Repeat steps no. 1 – 5 for each Cloud Conformity account that you want to examine.

Remediation / Resolution

To rotate (renew) your outdated Cloud Conformity API keys, perform the following actions:

Note: Renewing Cloud Conformity API keys using the CLI is disabled for security reasons. The operation can be implemented only using the Cloud Conformity dashboard.

Using Cloud Conformity Console

01 Sign in to your Cloud Conformity account.

03 Inside the API Keys section, click + New API Key to create the new Cloud Conformity API credentials that will replace the old ones.

04 Inside API Key dialog box, copy the new API key (highlighted): https://goo.gl/UwW86W to a safe location then click Close to return to the Cloud Conformity dashboard.

05 Now update your application(s) code and replace the existing API key with the new one. Test your application(s) to make sure that the API credentials are working.

06 Once your new API key is validated, return to Cloud Conformity dashboard, identify the outdated API key and click Disable: https://goo.gl/KQ3Wh5 to disable the key.

07 Inside Warning confirmation box, click Yes, disable it to confirm the action. Once confirmed, the status of the API key should change to Disabled. (!) IMPORTANT: Cloud Conformity strongly recommends waiting few days before going forward with the next step in order to ensure that the outdated key is no longer used by your applications.

08 Once you are sure that your applications are no longer using the disabled API key, return to the Cloud Conformity dashboard and delete the key by clicking the Remove button: https://goo.gl/EMKExN to initiate the removal process.

09 Inside Warning confirmation box, click Yes, remove it to confirm the action and remove the API key from your account.

10 Repeat steps no. 3 – 9 for each outdated (older than 30 days) API key, available in your Cloud Conformity account.

11 Repeat steps no. 1 – 10 to renew outdated API keys for other Cloud Conformity accounts.

References

Cloud Conformity Documentation
Cloud Conformity API allows you to programmatically interact with Cloud Conformity
Cloud Conformity API Keys API

Publication date Nov 11, 2017

Audit

Using Cloud Conformity Console

Using Cloud Conformity CLI

Remediation / Resolution

Using Cloud Conformity Console

References

Related Cloud Conformity rules