Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the "Disable Service Account Key Creation" organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.
PoC代码[已公开]
id: gcloud-org-service-account-key-creation
info:
name: Service Account Key Creation Not Disabled
author: princechaddha
severity: high
description: |
Ensure that the creation of user-managed service account keys is disabled within your Google Cloud project, folder, or the entire organization through the "Disable Service Account Key Creation" organization policy. This allows you to control the use of unmanaged long-term credentials for your Cloud IAM service accounts. When this resource constraint is enabled, user-managed keys cannot be created for service accounts in projects/folders/organizations affected by the constraint.
impact: |
User-managed keys are extremely powerful credentials, and they can pose a security risk if they are not managed correctly. If the user-managed service account keys are compromised, anyone who has access to these credentials will be able to access your GCP resources through their associated service account.
remediation: |
Enable the "Disable Service Account Key Creation" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the iam.disableServiceAccountKeyCreation constraint.
reference:
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/disable-service-account-key-creation.html
- https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
tags: cloud,devops,gcp,gcloud,resourcemanager,security,iam,service-account,gcp-cloud-config
flow: |
code(1)
for(let orgId of iterate(template.orgIds)){
set("orgId", orgId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud organizations list --format="json(name)"
extractors:
- type: json
name: orgIds
internal: true
json:
- '.[].name'
- engine:
- sh
- bash
source: |
gcloud alpha resource-manager org-policies describe iam.disableServiceAccountKeyCreation --organization=$orgId --effective --format="json(booleanPolicy)"
matchers:
- type: word
words:
- "{}"
extractors:
- type: dsl
dsl:
- '"Organization " + orgId + " has not disabled service account key creation, allowing users to create unmanaged keys"'
# digest: 4b0a00483046022100de7c9ee928092255091497632796341967bd78e6c59bb6cf10c1937ed6a1178e022100b21ea4609f809edd6531d45ad1ae22cde5e6cb6f604cbe4d07756c69b81700b0:922c64590222798bb761d5b6d8e72950