Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

API Keys Should Only Exist for Active Services

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: CloudAPI-005

Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. In Google Cloud, API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. API keys are usually accessible to clients, as they can be publicly viewed from within a browser, making them easy to discover by unauthorized personnel. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Because only a limited number of Google Cloud Platform (GCP) services allow access using just API keys, without requiring another type of credentials, Google recommends using a standard authentication flow instead of API keys for most services and applications. Deleting API keys should enforce the use of secure authentication methods only and minimize the exposure to attacks.

Audit

To determine if your Google Cloud projects are using API keys for active services, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected GCP project.

05 On the Credentials page, check for any keys listed in the API Keys section. If one or more keys are listed in this section, the selected Google Cloud Platform (GCP) project can host applications and/or services that use API keys as credentials for authentication.

06 Repeat steps no. 2 – 5 for each Google Cloud Platform (GCP) project deployed within your cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
  cc-webapp-112233
  cc-project5-111222

03 Run services api-keys list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the identifier of each active API key generated for the selected project: 

gcloud alpha services api-keys list
  --project=cc-webapp-112233
  --format="table(uid)"

04 The command output should return the IDs of the active API keys: 

UID: 
abcd1234-abcd-1234-abcd-1234abcd1234
1234abcd-1234-abcd-1234-abcd1234abcd

If the services api-keys list command output returns one or more API key IDs, as shown in the example above, the selected Google Cloud Platform (GCP) project can host applications and/or services that use API keys as credentials for authentication.

05 Repeat steps no. 3 and 4 for each Google Cloud Platform (GCP) project deployed within your cloud account.

Remediation / Resolution

API keys should be used solely for active services in situations where alternative authentication methods are not available, otherwise, they should be deleted. To remove any API keys associated with your Google Cloud Platform (GCP) projects, perform the following operations:

Ensure that your API keys are reviewed before removal as deleting API keys may break communication with the clients and/or applications that are using those keys.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis.

04 In the main navigation panel, select Credentials to access the list of the API keys provisioned for the selected GCP project.

05 Select the API key that you want to delete from the API Keys section, and choose DELETE to remove the selected key from your Google Cloud Platform (GCP) project. IMPORTANT: Deleting an API key will break dependent clients and/or applications. Ensure that your API key is reviewed before removal.

06 In the Delete credential confirmation box, choose DELETE to confirm the key removal. Once deleted, the key can no longer be used to make API requests. For 30 days after deletion, you can restore your API key from the deleted credentials page.

07 Repeat steps no. 2 – 6 for each Google Cloud Platform (GCP) project available in your cloud account.

Using GCP CLI

01 Run services api-keys delete command (Windows/macOS/Linux) with the ID of the API key that you want to delete as the identifier parameter, to remove the specified key from your Google Cloud Platform (GPC) project. IMPORTANT: Deleting an API key will break dependent clients and/or applications. Ensure that your API key is reviewed before removal: 

gcloud alpha services api-keys delete abcd1234-abcd-1234-abcd-1234abcd1234

02 The command output should return information about the deleted resource: 

Operation operations/akmf...abcd complete. Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2023-06-19T13:12:06.025308Z",
	"deleteTime":"2023-06-19T13:05:28.205577Z",
	"displayName":"API key 1",
	"etag":"abcdabcdabcdabcdabcdab==",
	"name":"projects/683977297284/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
	"restrictions":{
		"serverKeyRestrictions":{
			"allowedIps":[
				"0.0.0.0/0"
			]
		}
	},
	"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
	"updateTime":"2023-06-19T14:05:28.237699Z"
}

03 Repeat steps no. 1 and 2 for each API key that you want to delete, associated with your GCP project.

04 Repeat steps no. 1 – 3 for each Google Cloud Platform (GCP) project available within your cloud account.

References

Publication date Jun 29, 2023

Related CloudAPI rules