Ensure that user-managed service account key upload is disabled within your Google Cloud project, folder, or the entire organization, through the "Disable Service Account Key Upload" organization policy. This allows you to control the upload process of unmanaged long-term credentials for your Cloud IAM service accounts. By default, users can upload keys to service accounts based on their Cloud IAM roles and permissions.
User-managed keys are extremely powerful credentials and they can pose a security risk if they are not managed correctly. If the user-managed service account keys are compromised, anyone who has access to these credentials will be able to access your Google Cloud Platform (GCP) resources through their associated service account. You can limit their use by applying the "Disable Service Account Key Upload" organization policy to projects, folders, or your entire organization. Once this resource constraint is active, you can enable user-managed key upload in well-controlled environments, to minimize the potential risk caused by unmanaged keys.
Note: As example, this conformity rule demonstrates how to disable the upload feature for new user-managed service account keys at the Google Cloud organization level.
Audit
To determine if user-managed service account key upload is disabled for your GCP organizations, perform the following operations:
Remediation / Resolution
To ensure that Cloud IAM service account key upload is disabled within your Google Cloud organization, enforce the "Disable Service Account Key Upload" organization policy by performing the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Cloud Identity and Access Management (IAM)
- Service accounts
- Creating and managing service account keys
- Restricting service account usage
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce