Google Cloud Service Account Private Key Disclosure

high Web App Scanning Plugin ID 113150

Synopsis

Google Cloud Service Account Private Key Disclosure

Description

Google Cloud resources access control is managed through the Identify and Access Management (IAM) feature which helps defining the different roles and permissions available to authenticated principals. Principals include Google accounts for end users and service accounts which purpose is to be used by applications and compute workloads.

Service accounts rely on RSA key pairs for authentication against Google Cloud APIs and access the resources, which, when exposed, could be used by an attacker to gain access to sensitive information or to perform arbitrary modification on the related cloud resources.

Solution

Ensure that storage accounts keys are not stored with the application (for its own usage or because it was included in the deployment chain) and are not publicly available. If possible, force the keys to be frequently rotated with an expiry time and ensure that leaked keys are revoked and reset.

See Also

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys

https://cloud.google.com/iam/docs/overview

Plugin Details

Severity: High

ID: 113150

Type: remote

Published: 2/21/2022

Updated: 3/8/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L

CVSS Score Source: Tenable

Reference Information