Filter out disabled Service Account keys in 1.7

[dinvlad]

Hi Team,

The benchmark appears to report old Service Account keys, even if they're disabled. Could you add logic to 1.07 control that filters out disabled keys?

Thanks!

[aaronlippold]

That shouldn’t be too hard if there’s a property we can access about the key to know that it’s disabled, then it would be just updating the control to say next if property true

On Wed, Mar 2, 2022 at 13:09 Denis Loginov @.***> wrote:

Hi Team,

The benchmark appears to report old Service Account keys, even if they're disabled. Could you add logic to 1.07 control https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark/blob/master/controls/1.07-iam.rb that filters out disabled keys?

Thanks!

— Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark/issues/91, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42HTYE27TGSUWSKCWV3U56VETANCNFSM5PYGUNOQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

--

Aaron Lippold

@.***

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

[dinvlad]

@aaronlippold yes, there's disabled field on the ServiceAccountKey object, I believe: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKey