Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer

Risk Level: High
Service Account
Rule ID: D9.GCP.IAM.07
Category: Security, Identity, & Compliance
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated.

gsl logic

ServiceAccount should not have keys with [ (managedBy = 'User') and (validAfterTime = isEmpty() or validAfterTime after(-90, 'days')) ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language


From Portal:

1. Go to IAM & admin/Service-Account using 'https://console.cloud.google.com/iam-admin/serviceaccounts'
2. For every service account where `creation date` is greater than or equal to the past 90 days, click 'Action' >`Manage keys'
3. Click `Delete Bin Icon` to `Delete Service Account key`
4. Click DELETE
5. Create a new key by clicking on ADD KEY > Create new key
6. Select the desired key type format among `JSON` or `P12`.
7. Click `Create`. It will download the `private key`. Keep it safe.
8. Click `Close` if prompted.

From Command Line:
Delete external (user managed) Service Account Key older than 90 days:

gcloud iam service-accounts keys delete --iam-account=SERVICE_ACCOUNT_EMAIL KEY_ID

Create new Service Account Key:

gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

1. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/create
2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/delete
3. https://cloud.google.com/iam/docs/creating-managing-service-account-keys
4. https://cloud.google.com/iam/docs/understanding-service-accounts

Service Account

A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.

Compliance Frameworks

GDPR BP_0318