Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the "Disable Service Account Key Creation" organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.
User-managed keys are extremely powerful credentials, and they can pose a security risk if they are not managed correctly. If the user-managed service account keys are compromised, anyone who has access to these credentials will be able to access your Google Cloud Platform (GCP) resources through their associated service account. You can limit their use by applying the "Disable Service Account Key Creation" (i.e. iam.disableServiceAccountKeyCreation) organization policy to projects, folders, or your entire organization. After applying the constraint, you can enable user-managed keys in well-controlled locations, to minimize the potential risk caused by the unmanaged keys.
Note: As example, this conformity rule demonstrates how to disable the creation of new user-managed service account keys at the Google Cloud organization level.
To determine if the creation of user-managed service account keys is disabled for your GCP organizations, perform the following actions:
Remediation / Resolution
To ensure that the user-managed key creation for Cloud IAM service accounts is disabled within your Google Cloud organization, enable the "Disable Service Account Key Creation" organization policy, by performing the following actions:
- Google Cloud Platform (GCP) Documentation
- Cloud Identity and Access Management (IAM)
- Service accounts
- Creating and managing service account keys
- Restricting service account usage
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Disable User-Managed Key Creation for Service Accounts
Risk level: Medium