Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Rotate External User-Managed Service Account Keys
IAM Users – Enforce GCP-Managed Keys
This check ensures that only GCP-managed keys are used for service accounts. Enforcing GCP-managed keys helps prevent key leakage, simplifies key rotation, and improves overall access security.
Check Details
- Resource: Service Accounts
- Check: Enforce GCP-managed keys
- Risk: User-managed service account keys can be copied, leaked, or remain active indefinitely, increasing the risk of unauthorized access and credential compromise.
Remediation via Google Cloud Console
-
Log in to the Google Cloud Console and navigate to
IAM & Admin.
- Click on Service Accounts.
-
All service accounts and their corresponding keys are listed.
-
Click the service account.
- Click Actions and delete the keys.
- Ensure only Google-managed keys remain enabled.
Remediation via Google Cloud CLI
-
Open the Google Cloud Console and launch
Cloud Shell.
-
Delete a user-managed service account key:
gcloud iam service-accounts keys delete KEY_ID \ --iam-account=SERVICE_ACCOUNT_EMAIL
Default Value
By default, service accounts can have both Google-managed and user-managed keys. User-managed keys remain active until explicitly deleted.