Delete User-Managed Service Account Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Google Cloud Platform (GCP) user-managed service accounts are using GCP-managed keys instead of user-managed keys for authentication. For user-managed key pairs, key management operations such as key storage, key distribution, key revocation, key recovery and key rotation, as well as key protection against unauthorized access, are your responsibilities.

Security

Anyone who has access to your user-managed keys will be able to access GCP resources through their associated service accounts. Deleting unwanted user-managed service account keys will significantly reduce the chances that a compromised set of keys can be used without your knowledge to access certain Google Cloud components and resources.

Note: Deleting user-managed service account keys may break communication with the applications that are using the corresponding keys. Make sure that your key pairs are reviewed before removal.


Audit

To determine if your GCP service accounts are using user-managed keys, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Click on the email address of the user-managed service account that you want to examine.

06 On the selected service account configuration page, check for any user-managed key IDs available in the Keys section. If one or more key IDs are listed within this section, the selected Google Cloud Platform (GCP) service account is using user-managed keys.

07 Repeat step no. 5 and 6 for each user-managed service account that you want to examine, created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each Google Cloud Platform (GCP) project available within your account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your GCP account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested project identifiers (IDs):

PROJECT_ID
cc-project5-app-123123
cc-web-app-prod-123123
cc-internal-app-123123

03 Run iam service-accounts list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to list the email address of each service account available for the selected project:

gcloud iam service-accounts list
	--project=cc-project5-app-123123
	--format="table(email)"

04 The command output should return the requested email addresses:

EMAIL
cc-dev-service-account@cc-project5-app-123123.iam.gserviceaccount.com
cc-int-service-account@cc-project5-app-123123.iam.gserviceaccount.com

05 Run iam service-accounts keys list command (Windows/macOS/Linux) using the email address of the service account that you want to examine as identifier parameter, to list the user-managed keys created for the selected GCP service account:

gcloud iam service-accounts keys list
	--iam-account=cc-dev-service-account@cc-project5-app-123123.iam.gserviceaccount.com
	--managed-by=user

06 The command output should return the requested user-managed keys:

KEY_ID                                CREATED_AT          EXPIRES_AT
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd   2020-04-07T17:05:05Z   9999-12-31T23:59:59Z
abcd1234abcd1234abcd1234abcd1234abcd1234   2020-04-07T17:08:51Z   9999-12-31T23:59:59Z

If the iam service-accounts keys list command output returns one or more associated keys, as shown in the output example above, the selected Google Cloud Platform (GCP) service account is using user-managed keys.

07 Repeat step no. 5 and 6 for each user-managed service account that you want to examine, created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project created within your cloud account.

Remediation / Resolution

To delete any user-managed keys associated with your Google Cloud Platform (GCP) service accounts, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Click on the email address of the user-managed service account that you want to access.

06 On the selected service account configuration page, perform the following:

  1. Click on the Edit button from the dashboard top menu.
  2. Click on the delete icon next to each corresponding user-managed key ID to remove the key resource.
  3. On the Delete key ID confirmation box, click DELETE to confirm the removal action.
  4. Click SAVE to save the new changes.

07 Repeat step no. 5 and 6 for each user-managed service account created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each Google Cloud Platform (GCP) project available within your account.

Using GCP CLI

01 Run iam service-accounts keys delete command (Windows/macOS/Linux) using the email address of the service account that you want to access and the ID of the corresponding key as identifier parameters (see Audit section part I to identify the right GCP resources), to delete the selected user-managed key:

gcloud iam service-accounts keys delete
	--iam-account=cc-dev-service-account@cc-project5-app-123123.iam.gserviceaccount.com abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

02 The iam service-accounts keys delete command request should ask you for confirmation. Type Y to confirm the removal action. Once removed, the command output should return the ID of the deleted key:

deleted key [abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd] for service account [cc-dev-service-account@cc-project5-app-123123.iam.gserviceaccount.com]

03 Repeat step no. 1 and 2 for each user-managed service account created for the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project available within your cloud account.

References

Publication date Feb 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Delete User-Managed Service Account Keys

Risk level: Medium