Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for API Key API Restrictions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudAPI-003

Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API and/or Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Google Cloud Platform (GCP) API keys are simple encrypted strings that don't identify the user or the application that performs the API request. GCP API keys are typically accessible to clients, as they can be viewed publicly from within a browser, making it easy to discover and capture API keys. In order to follow cloud security best practices and reduce the attack surface, Google Cloud API keys should be restricted to call only those APIs required by your application.

Audit

To determine if your Google Cloud API key usage is restricted to specific APIs only, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected Google Cloud Platform (GCP) project.

05 Click on the name (link) of the API key that you want to examine to access the key properties.

06 On the selected API key page, check the API restriction option enabled within the API restrictions section. Based on the API restriction selected, determine whether or not the selected API key usage is restricted to specific APIs only:

  • If the API restriction is set to Don't restrict key, there is no API restriction control enabled, therefore the selected API key can call any supported Google Cloud Platform (GCP) API.
  • If the API restriction is set to Restrict key, check the Selected APIs section for the list of APIs that can use the selected API key. If the list of API restrictions enabled contains Google Cloud APIs, the selected API key can call any GCP API because the Google Cloud APIs option represents the API collection of all the cloud services/APIs offered by Google Cloud Platform.

07 Repeat steps no. 5 and 6 for each API key generated for the selected GCP project.

08 Repeat steps no. 2 – 7 for each project available within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
  cc-project5-112233
  cc-internal-111222

03 Run services api-keys list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the identifier of each active API key generated for the selected project: 

gcloud alpha services api-keys list
  --project=cc-project5-112233
  --format="table(uid)"

04 The command output should return the IDs of the active API keys: 

UID:
  abcd1234-abcd-1234-abcd-1234abcd1234
  1234abcd-1234-abcd-1234-abcd1234abcd

05 Run services api-keys describe command (Windows/macOS/Linux) using the ID of the API key that you want to examine as the identifier parameter and custom query filters to list the names of the Google Cloud APIs that can use the selected API key: 

gcloud alpha services api-keys describe abcd1234-abcd-1234-abcd-1234abcd1234
  --format="json(restrictions)"

06 Based on the services api-keys describe command output, you can determine whether or not the use of the selected API key is restricted to specific APIs only:

  • If the command output returns null, there is no API restriction control enabled, therefore the selected API key can call any supported Google Cloud Platform (GCP) API: 
    null
  • If the command output returns one or more APIs, check the "apiTargets" array for the list of GCP APIs that can use the selected API key. If the "apiTargets" array contains "cloudapis.googleapis.com", as shown in the example below, the selected API key can call any GCP API because the "cloudapis.googleapis.com" option represents the API collection of all the cloud services/APIs offered by Google Cloud Platform: 
    {
  "restrictions": {
    "apiTargets": [
      {
        "service": "cloudapis.googleapis.com"
      }
    ]
  }
}

07 Repeat steps no. 5 and 6 for each API key generated for the selected GCP project.

08 Repeat steps no. 3 – 7 for each project deployed within your Google Cloud account.

Remediation / Resolution

To enable and configure API restrictions for your Google Cloud API keys, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected Google Cloud Platform (GCP) project.

05 Click on the name of the API key that you want to reconfigure.

06 On the selected API key page, in the API restrictions section, perform the following actions:

  1. Select Restrict key option to initiate the API restriction configuration process.
  2. From the Select APIs dropdown list, select one or more GCP APIs to enable API restrictions for the selected API key based on your application needs. Do not select Google Cloud APIs, as this option allows access to all services/APIs offered by Google Cloud Platform (GCP). The list of added API restrictions should be available in the Selected APIs list.
  3. Choose SAVE to apply the changes. It may take up to 5 minutes for configuration changes to take effect.

07 Repeat steps no. 5 and 6 to enable and configure API restrictions for other API keys created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable API restrictions. Use the --api-target parameter to specify the names of the Google Cloud APIs that the selected key can call. For example, once the configuration is updated, the selected API key can call only the Google Cloud Storage API: 

gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
  --api-target=service=storage_component

02 The output should return the metadata available for the updated API key: 

Operation [operations/akmf.p10-123456789012-1234abcd-1234-abcd-1234-abcd1234abcd] complete. Result: {
  "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
  "createTime":"2021-10-28T10:27:46.153370Z",
  "displayName":"cc-project5-api-key",
  "etag":"abcdabcdabcdabcdabcdab==",
  "name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
  "restrictions":{
    "apiTargets":[
      {
        "service":"storage_component"
      }
    ]
  },
  "uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
  "updateTime":"2021-10-28T13:16:04.687488Z"
}

03 Repeat steps no. 1 and 2 to enable and configure API restrictions for other API keys generated for the selected GCP project.

04 Repeat steps no. 1 – 3 for each project deployed in your Google Cloud account.

References

Publication date Oct 28, 2021

Related CloudAPI rules