Control: 1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
Delete any external (user-managed) Service Account Key older than 90 days.
- Go to GCP console at APIs & Services\Credentials
- Navigate to section
Service Accounts, select every external (user-managed) Service Account.
- Check the key creation date is greater than or equal to the past 90 days.
- Click three dots in
- Select Menage Keys and click Icon Bin Icon to delete
- Create a new external (user-managed) Service Account Key for a Service Account. See details here
steampipe check gcp_compliance.control.cis_v120_1_7
This control uses a named query:iam_service_account_key_age_90