Ensure that user-managed service account key upload is disabled within your Google Cloud project, folder, or the entire organization, through the "Disable Service Account Key Upload" organization policy. This allows you to control the upload process of unmanaged long-term credentials for your Cloud IAM service accounts. By default, users can upload keys to service accounts based on their Cloud IAM roles and permissions.
PoC代码[已公开]
id: gcloud-org-service-account-key-upload
info:
name: Service Account Key Upload Not Disabled
author: princechaddha
severity: medium
description: |
Ensure that user-managed service account key upload is disabled within your Google Cloud project, folder, or the entire organization, through the "Disable Service Account Key Upload" organization policy. This allows you to control the upload process of unmanaged long-term credentials for your Cloud IAM service accounts. By default, users can upload keys to service accounts based on their Cloud IAM roles and permissions.
impact: |
User-managed keys are extremely powerful credentials and they can pose a security risk if not managed correctly. If compromised, anyone with these credentials can access GCP resources through the associated service account.
remediation: |
Enable the "Disable Service Account Key Upload" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the iam.disableServiceAccountKeyUpload constraint.
reference:
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/disable-service-account-key-upload.html
- https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
tags: cloud,devops,gcp,gcloud,resourcemanager,security,iam,service-account,gcp-cloud-config
flow: |
code(1)
for(let orgId of iterate(template.orgIds)){
set("orgId", orgId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud organizations list --format="json(name)"
extractors:
- type: json
name: orgIds
internal: true
json:
- '.[].name'
- engine:
- sh
- bash
source: |
gcloud alpha resource-manager org-policies describe iam.disableServiceAccountKeyUpload --organization=$orgId --effective --format="json(booleanPolicy)"
matchers:
- type: word
words:
- "{}"
extractors:
- type: dsl
dsl:
- '"Organization " + orgId + " has not disabled service account key upload, allowing users to upload unmanaged keys"'
# digest: 4a0a004730450220466125403fe640c356d99f8bbabbf2fe9bb980180876f87368ca00409c083f1a022100800670e74ee332bed168dcb2c15519dfbbbe3578b1ce4d66285a8a2db4ed1166:922c64590222798bb761d5b6d8e72950