Merge pull request #12998 from kelu27/feat-gcloud-service-account-keys-rotation

feat(gcloud-service-account-keys-rotation): add detection for non-rotating service account keys
2026-01-31 07:43:27 +08:00 · 2026-01-06 17:04:49 +05:30
parent 41ed4feae6 99203cd594
commit 4591b16e07
1 changed files with 76 additions and 0 deletions
--- a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
+++ b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
@@ -0,0 +1,76 @@
+id: gcloud-service-account-keys-rotation
+
+info:
+  name: GCP Service Account Keys - No Rotation Configured
+  author: kelu27
+  severity: high
+  description: |
+    Detects Google Cloud Platform (GCP) service account keys that have no rotation enabled.
+    Keys with an expiration date of 9999-12-31T23:59:59 are considered non-rotating and pose security risks if compromised.
+  impact: |
+    Service account keys without rotation can remain valid indefinitely, making them vulnerable to compromise or misuse if leaked, stolen, or improperly secured.
+  remediation: |
+    Implement a key rotation policy for user-managed service account keys. Regularly rotate keys and delete old ones. Consider using Workload Identity Federation to eliminate the need for long-lived keys entirely.
+  reference:
+    - https://cloud.google.com/iam/docs/understanding-service-accounts
+    - https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts
+    - https://cloud.google.com/iam/docs/key-rotation
+  metadata:
+    max-request: 3
+  tags: cloud,devops,gcp,gcloud,iam,google-cloud-iam,gcp-cloud-config,security,rotation
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+    for(let email of iterate(template.emails)){
+      set("email", email)
+      code(3)
+    }
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - ".[].projectId"
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud iam service-accounts list --project $projectId --format="json(email)"
+
+    extractors:
+      - type: json
+        name: emails
+        internal: true
+        json:
+          - ".[].email"
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud iam service-accounts keys list --iam-account=$email --format="json"
+
+    matchers:
+      - type: word
+        words:
+          - "9999-12-31T23:59:59"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Service Account Key without Rotation Found in Service Account " + email + " in project " + projectId'