id: gcloud-api-key-restrictions-missing info: name: Missing API Key API Restrictions author: princechaddha severity: medium description: | Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API, and Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions. impact: | API keys without specific API restrictions can be used to access any GCP API, potentially leading to unauthorized access and misuse of resources. Implementing API restrictions helps in limiting the scope of API keys to intended services only. remediation: | Apply API restrictions to each Google Cloud API key to limit their usage to specific APIs. This can be managed through the Google Cloud Console or using the gcloud command-line tool. reference: - https://cloud.google.com/api-keys/docs/restricting-api-keys tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let apiKey of iterate(template.apiKeys)){ set("apiKeyUid", apiKey) code(3) } } self-contained: true code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)" extractors: - type: json name: projectIds internal: true json: - '.[].projectId' - engine: - sh - bash source: | gcloud alpha services api-keys list --project=$projectId --format="json(uid)" extractors: - type: json name: apiKeys internal: true json: - '.[].uid' - engine: - sh - bash source: | gcloud alpha services api-keys describe $apiKeyUid --format="json(restrictions)" matchers: - type: word part: body words: - 'null' extractors: - type: dsl dsl: - '"Unrestricted API Key: " + apiKeyUid + " in Project: " + projectId' # digest: 4b0a00483046022100b6b2f16aaed30fbe7cf6f76b17cd99ebb5394c3f78c791dd66de6d10bdbab3ab022100858dcb4e5f0139b7c9e1431d7318a4ddf89998fb7cc475285f14c0c5fb3819a0:922c64590222798bb761d5b6d8e72950