{

"description": "Lack of User-Managed Service Account Key Rotation",

"rationale": "Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. User-managed Service Account keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen. It should be ensured that keys are rotated every 90 days.<br>This issue does not apply to system-managed keys, as they are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.",

"remediation": "From console: <br>Delete any external (user-managed) Service Account Key older than 90 days: <ol><li>Go to <samp>APIs & Services\\Credentials</samp> using <samp>https://console.cloud.google.com/apis/credentials</samp></li><li>In the Section <samp>Service Account Keys</samp>, for every external (user-managed) service account key where <samp>creation date</samp> is greater than or equal to the past 90 days, click <samp>Delete Bin Icon</samp> to <samp>Delete Service Account key</samp></li></ol> <br>Create a new external (user-managed) Service Account Key for a Service Account:<ol><li>Go to <samp>APIs & Services\\Credentials</samp> using <samp>https://console.cloud.google.com/apis/credentials</samp></li><li>Click <samp>Create Credentials</samp> and <samp>Select Service Account Key.</samp></li><li>Choose the service account in the drop-down list for which an External (user-managed) Service Account key needs to be created.</li><li>Select the desired key type format among <samp>JSON</samp> or <samp>P12</samp>.</li><li>Click <samp>Create</samp>. It will download the <samp>private key</samp>. Keep it safe.</li><li>Click <samp>close</samp> if prompted</li><li>The site will redirect to the <samp>APIs & Services\\Credentials</samp> page. Make a note of the new <samp>ID</samp> displayed in the <samp>Service account keys</samp> section.</li></ol> ",

"compliance": [

{

"name": "CIS Google Cloud Platform Foundations",

"version": "1.0.0",

"reference": "1.6"

},

{

"name": "CIS Google Cloud Platform Foundations",

"version": "1.1.0",

"reference": "1.7"

}

],

"references": [

"https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys",

"https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list",

"https://cloud.google.com/iam/docs/service-accounts",

"https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys"

],

"dashboard_name": "Service Accounts",

"display_path": "iam.projects.id.service_accounts.id",

"path": "iam.projects.id.service_accounts.id.keys.id",

"conditions": [

"and",

[

"iam.projects.id.service_accounts.id.keys.id.valid_after",

"olderThan",

[

"90",

"days"

]

],

[

"iam.projects.id.service_accounts.id.keys.id.key_type",

"equal",

"USER_MANAGED"

]

],

"id_suffix": "valid_after"

}