Rotate User-Managed Service Account Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)

Ensure that the user-managed keys associated with your Google Cloud Platform (GCP) service accounts are rotated every 90 days or less. Each GCP service account is associated with a key pair managed by Google and used for service-to-service authentication within Google Cloud. Google Cloud Platform provides the option to create one or more user-managed (external) key pairs for use outside the cloud account. When a new key pair is created, you have the ability to download the private key (which is not retained by Google), therefore you are responsible for keeping the private key secure and manage the key rotation.

Security

Rotating user-managed service account keys will significantly reduce the chance for an access key that is associated with a compromised or terminated account to be used. Google Cloud service account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, compromised, or stolen.


Audit

To determine if your GCP user-managed service account keys have been rotated in the past 90 days, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Choose service account that you want to examine, then check the creation date available within the Key creation date column, for each user-managed key associated with the selected account. If there are user-managed keys with the creation date older than 90 days, follow the steps outlined in the Remediation/Resolution section to rotate those keys in order to maintain a secure programmatic access to your GCP resources.

06 Repeat step no. 5 for each user-managed service account that you want to examine, created for the selected GCP project.

07 Repeat steps no. 2 – 6 for each Google Cloud Platform (GCP) project available in your account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your GCP account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested project identifiers:

PROJECT_ID
cc-web-app-prod-123123
cc-project5-app-123123
cc-internal-app-123123

03 Run iam service-accounts list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to list the email address of each service account available for the selected project:

gcloud iam service-accounts list
	--project=cc-web-app-prod-123123
	--format="table(email)"

04 The command output should return the corresponding email addresses:

EMAIL
cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccount.com
cc-testing-account@cc-web-app-prod-123123.iam.gserviceaccount.com

05 Run iam service-accounts keys list command (Windows/macOS/Linux) using the email address of the service account that you want to examine as identifier parameter, to describe the creation date of each user-managed key associated with the selected GCP service account:

gcloud iam service-accounts keys list
	--iam-account=cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com
	--managed-by=user
	--format="table(name,validAfterTime)"

06 The command output should return the ID and the creation date for each available key:

KEY_ID                                    CREATED_AT
abcd1234abcd1234abcd1234abcd1234abcd1234  2020-01-11T10:30:54Z
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd  2020-04-09T12:23:50Z

Check the creation date available in the CREATED_AT column, for each user-managed key associated with the selected account. If one or more user-managed keys have the creation date older than 90 days, follow the steps outlined in the Remediation/Resolution section to rotate those keys in order to maintain a secure programmatic access to your Google Cloud resources.

07 Repeat step no. 5 and 6 for each user-managed service account that you want to examine, created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project created within your cloud account.

Remediation / Resolution

To rotate any external (i.e. user-managed) keys older than 90 days that are associated with your GCP service accounts, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Click on the email address of the user-managed service account that you want to access.

06 Create a new external key, required to replace the old one. On the selected service account configuration page, perform the following:

  1. Click on the Edit button from the dashboard top menu.
  2. Click the CREATE KEY button available in the Keys section, select JSON or P12 as the key type, then click CREATE to confirm your action and create the new user-managed key. Save the private key to a safe location on your computer, then click CLOSE to return to the GCP IAM dashboard.
  3. Click SAVE to save the changes.

07 Configure the dependent application(s) in order to reference the new external key ID displayed in the Keys section and the private key downloaded at the previous step.

08 Once the new external/user-managed key is referenced within your application(s) code, go back to the selected service account configuration page and remove the old (non-compliant) key by performing the following operations:

  1. Click on the Edit button from the dashboard top menu.
  2. Click on the delete icon next to the user-managed key that you want to delete (see Audit section part I to identify the right key) to remove the old key from the selected service account.
  3. On the Delete key ID confirmation box, click DELETE to confirm the removal action.
  4. Click SAVE to save the changes.

09 Repeat steps no. 6 – 8 to rotate other external keys that are older than 90 days, associated with the selected service account.

10 Repeat steps no. 5 – 9 for each user-managed service account created for the selected GCP project.

11 Repeat steps no. 2 – 10 for each Google Cloud Platform (GCP) project available within your account.

Using GCP CLI

01 Run iam service-accounts keys create command (Windows/macOS/Linux) using the email address of the service account that you want to access as identifier parameter (see Audit section part II to identify the right resource), to create a new external key, required to replace the old (non-compliant) key. Provide a name (e.g. private-key.json) for the JSON file that will store the private key:

gcloud iam service-accounts keys create
	--iam-account=cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com
	--key-file-type json private-key.json

02 The command output should return the ID of the newly created key:

created key [abcdabcdabcd1234123412234abcdabcdabcdacd] of type [json] as [private-key.json] for [cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com]

03 Run iam service-accounts keys delete command (Windows/macOS/Linux) using the email address of the service account that you want to access and the ID of the corresponding key as identifier parameters (see Audit section part II to identify the right GCP resources), to delete the selected user-managed key:

gcloud iam service-accounts keys delete
	--iam-account=cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com abcd1234abcd1234abcd1234abcd1234abcd1234

04 The iam service-accounts keys delete command request should ask you for confirmation. Type Y to confirm the removal action. Once removed, the command output should return the ID of the deleted key:

deleted key [abcd1234abcd1234abcd1234abcd1234abcd1234] for service account [cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com]

05 Repeat steps no. 1 – 4 to rotate other external keys that are older than 90 days, associated with the selected service account.

06 Repeat steps no. 1 – 5 for each user-managed service account created for the selected GCP project.

07 Repeat steps no. 1 – 6 for each GCP project available within your cloud account.

References

Publication date Feb 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Rotate User-Managed Service Account Keys

Risk level: Low