Closed TomKulakov closed 2 years ago
Thanks @TomKulakov for using Steampipe and helping us improve the controls!
Fair point that the description is a bit weak there ... definitely open to suggestions for what it should be.
It's actually the "official" description pulled directly from the CIS v1.20 document:
@e-gineer Thanks for getting back to me so quickly!
To be honest, I did remove that from our checklist. As mentioned before the only way to resolve that issue is to limit the resource able to use the API keys and that's covered by 1.13. Also did try to find a ways of creating non-project wide API keys, but every manual I go into suggest same way of creating a key - per project: https://support.google.com/googleapi/answer/6158862?hl=en https://cloud.google.com/docs/authentication/api-keys So far it seems the only way to create an API key is in the project itself (It's not possible to do so with gcloud commnand - here is a feature request https://issuetracker.google.com/issues/76227920?pli=1 ), thus this control will PROBABLY (did not checked the code, only judging by the rule title) always return false-positives.
Have a great weekend!
@TomKulakov I'm closing this issue as the current control follows CIS' recommendation, and a workaround is to exclude its results from your checklist/assessment if it doesn't meet your requirements. If you have any other questions, please let us know!
Hi there!
https://github.com/turbot/steampipe-mod-gcp-compliance/blob/98c9fe4a36e97a59cd58f95b444d52d10eba5e39/cis_v120/section_1.sp#L175
Keys are insecure because they can be viewed publicly
Every API key is insecure because of that reason. Is there another reason why project wide API keys should not be created? In my best knowledge: As Service Account should maintain single role (best case scenario), it would be best for the API keys to allow connection to the single resource, and not being used project wide for all resources, hence should be properly restricted and this has been covered with control 1.13. Putting that aside, you can create API key per project only. Official documentation ( https://cloud.google.com/docs/authentication/api-keys ) states that this is the way to create an API key. Is there another way that I'm not seeing?