cloud/gcp/api/gcloud-api-key-restrictions-missing.yaml

id: gcloud-api-key-restrictions-missing

info:
  name: Missing API Key API Restrictions
  author: princechaddha
  severity: medium
  description: |
    Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API, and Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions.
  impact: |
    API keys without specific API restrictions can be used to access any GCP API, potentially leading to unauthorized access and misuse of resources. Implementing API restrictions helps in limiting the scope of API keys to intended services only.
  remediation: |
    Apply API restrictions to each Google Cloud API key to limit their usage to specific APIs. This can be managed through the Google Cloud Console or using the gcloud command-line tool.
  reference:
    - https://cloud.google.com/api-keys/docs/restricting-api-keys
  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let apiKey of iterate(template.apiKeys)){
      set("apiKeyUid", apiKey)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys list --project=$projectId --format="json(uid)"

    extractors:
      - type: json
        name: apiKeys
        internal: true
        json:
          - '.[].uid'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys describe $apiKeyUid --format="json(restrictions)"

    matchers:
      - type: word
        part: body
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Unrestricted API Key: " + apiKeyUid + " in Project: " + projectId'
# digest: 4b0a00483046022100b6b2f16aaed30fbe7cf6f76b17cd99ebb5394c3f78c791dd66de6d10bdbab3ab022100858dcb4e5f0139b7c9e1431d7318a4ddf89998fb7cc475285f14c0c5fb3819a0:922c64590222798bb761d5b6d8e72950
Added GCP Templates 2025-01-15 17:13:24 +05:30			`id: gcloud-api-key-restrictions-missing`

			`info:`
			`name: Missing API Key API Restrictions`
			`author: princechaddha`
			`severity: medium`
			`description: \|`
			`Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API, and Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions.`
			`impact: \|`
			`API keys without specific API restrictions can be used to access any GCP API, potentially leading to unauthorized access and misuse of resources. Implementing API restrictions helps in limiting the scope of API keys to intended services only.`
			`remediation: \|`
			`Apply API restrictions to each Google Cloud API key to limit their usage to specific APIs. This can be managed through the Google Cloud Console or using the gcloud command-line tool.`
			`reference:`
			`- https://cloud.google.com/api-keys/docs/restricting-api-keys`
			`tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
Added GCP Templates 2025-01-15 17:13:24 +05:30			`flow: \|`
			`code(1)`
			`for(let projectId of iterate(template.projectIds)){`
			`set("projectId", projectId)`
			`code(2)`
			`for(let apiKey of iterate(template.apiKeys)){`
			`set("apiKeyUid", apiKey)`
			`code(3)`
			`}`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud projects list --format="json(projectId)"`

			`extractors:`
			`- type: json`
			`name: projectIds`
			`internal: true`
			`json:`
			`- '.[].projectId'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud alpha services api-keys list --project=$projectId --format="json(uid)"`

			`extractors:`
			`- type: json`
			`name: apiKeys`
			`internal: true`
			`json:`
			`- '.[].uid'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud alpha services api-keys describe $apiKeyUid --format="json(restrictions)"`

			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- 'null'`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"Unrestricted API Key: " + apiKeyUid + " in Project: " + projectId'`
chore: sign templates 🤖 2025-04-24 09:39:11 +00:00			`# digest: 4b0a00483046022100b6b2f16aaed30fbe7cf6f76b17cd99ebb5394c3f78c791dd66de6d10bdbab3ab022100858dcb4e5f0139b7c9e1431d7318a4ddf89998fb7cc475285f14c0c5fb3819a0:922c64590222798bb761d5b6d8e72950`