search

turbot / steampipe-mod-gcp-compliance

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS across all of your GCP projects using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/gcp_compliance
Apache License 2.0
35 stars 9 forks source link

control.cis_v120_1_12 - Rather incorrect description #57

Closed TomKulakov closed 2 years ago

TomKulakov commented 2 years ago

Hi there!

https://github.com/turbot/steampipe-mod-gcp-compliance/blob/98c9fe4a36e97a59cd58f95b444d52d10eba5e39/cis_v120/section_1.sp#L175

Keys are insecure because they can be viewed publicly

Every API key is insecure because of that reason. Is there another reason why project wide API keys should not be created? In my best knowledge: As Service Account should maintain single role (best case scenario), it would be best for the API keys to allow connection to the single resource, and not being used project wide for all resources, hence should be properly restricted and this has been covered with control 1.13. Putting that aside, you can create API key per project only. Official documentation ( https://cloud.google.com/docs/authentication/api-keys ) states that this is the way to create an API key. Is there another way that I'm not seeing?

e-gineer commented 2 years ago

Thanks @TomKulakov for using Steampipe and helping us improve the controls!

Fair point that the description is a bit weak there ... definitely open to suggestions for what it should be.

It's actually the "official" description pulled directly from the CIS v1.20 document:

image
TomKulakov commented 2 years ago

@e-gineer Thanks for getting back to me so quickly!

To be honest, I did remove that from our checklist. As mentioned before the only way to resolve that issue is to limit the resource able to use the API keys and that's covered by 1.13. Also did try to find a ways of creating non-project wide API keys, but every manual I go into suggest same way of creating a key - per project: https://support.google.com/googleapi/answer/6158862?hl=en https://cloud.google.com/docs/authentication/api-keys So far it seems the only way to create an API key is in the project itself (It's not possible to do so with gcloud commnand - here is a feature request https://issuetracker.google.com/issues/76227920?pli=1 ), thus this control will PROBABLY (did not checked the code, only judging by the rule title) always return false-positives.

Have a great weekend!

cbruno10 commented 2 years ago

@TomKulakov I'm closing this issue as the current control follows CIS' recommendation, and a workaround is to exclude its results from your checklist/assessment if it doesn't meet your requirements. If you have any other questions, please let us know!