cloud/gcp/api/gcloud-api-key-unrestricted.yaml

id: gcloud-api-key-unrestricted

info:
  name: Unrestricted API Key Usage
  author: princechaddha
  severity: medium
  description: |
    Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.
  impact: |
    API keys without restrictions can be used unrestrictedly, which might lead to unauthorized access and misuse, potentially exposing sensitive data or services.
  remediation: |
    Apply restrictions to all production API keys to specify the allowed websites, IP addresses, or mobile applications that can use each key, to mitigate potential abuse.
  reference:
    - https://cloud.google.com/docs/authentication/api-keys#restricting_api_keys
  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let uid of iterate(template.uids)){
      set("uid", uid)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys list --project $projectId --format="json(uid)"

    extractors:
      - type: json
        name: uids
        internal: true
        json:
          - '.[].uid'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys describe $uid --format="json(restrictions)"

    matchers:
      - type: word
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Unrestricted API Key: " + uid + " in Project: " + projectId'
# digest: 4a0a00473045022100d1751d133cbe1cb508355fb6acc6fb0d51094a8c42db864114772bfce2fd382a022022cb36fbfcf3f8b8ef22cd8a428104f85035cc421437b2e735f221396b39c224:922c64590222798bb761d5b6d8e72950
Added GCP Templates 2025-01-15 17:13:24 +05:30			`id: gcloud-api-key-unrestricted`

			`info:`
			`name: Unrestricted API Key Usage`
			`author: princechaddha`
			`severity: medium`
			`description: \|`
			`Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.`
			`impact: \|`
			`API keys without restrictions can be used unrestrictedly, which might lead to unauthorized access and misuse, potentially exposing sensitive data or services.`
			`remediation: \|`
			`Apply restrictions to all production API keys to specify the allowed websites, IP addresses, or mobile applications that can use each key, to mitigate potential abuse.`
			`reference:`
			`- https://cloud.google.com/docs/authentication/api-keys#restricting_api_keys`
			`tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
Added GCP Templates 2025-01-15 17:13:24 +05:30			`flow: \|`
			`code(1)`
			`for(let projectId of iterate(template.projectIds)){`
			`set("projectId", projectId)`
			`code(2)`
			`for(let uid of iterate(template.uids)){`
			`set("uid", uid)`
			`code(3)`
			`}`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud projects list --format="json(projectId)"`

			`extractors:`
			`- type: json`
			`name: projectIds`
			`internal: true`
			`json:`
			`- '.[].projectId'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud alpha services api-keys list --project $projectId --format="json(uid)"`

			`extractors:`
			`- type: json`
			`name: uids`
			`internal: true`
			`json:`
			`- '.[].uid'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud alpha services api-keys describe $uid --format="json(restrictions)"`

			`matchers:`
			`- type: word`
			`words:`
			`- 'null'`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"Unrestricted API Key: " + uid + " in Project: " + projectId'`
chore: sign templates 🤖 2025-04-24 09:39:11 +00:00			`# digest: 4a0a00473045022100d1751d133cbe1cb508355fb6acc6fb0d51094a8c42db864114772bfce2fd382a022022cb36fbfcf3f8b8ef22cd8a428104f85035cc421437b2e735f221396b39c224:922c64590222798bb761d5b6d8e72950`