Google Cloud credentials control access to your resources hostedon Google Cloud. To help keep your data secure and protected fromattackers, you must handleyour credentials with utmost care.
We recommend that you protect all of your Google Cloud credentials fromunintended access. Thesecredentials include but are not limited to the following:
Service credentials:
- Service account private keys(JSON and p12 files)
- API keys
- OAuth2 client IDsecrets
User credentials that are created and managed on developer workstations orother computers:
Google Cloud CLI credentials
Application Default Credentials
Browser cookies
Google Cloud CLI credentials are stored in theuser's home directory. You can list them in Google Cloud CLI using the gcloudauth list command.Application Default Credentials are stored on the developer's workstation.Browser cookies are browser-specific, but are typically stored on the developer'sworkstation.
If you suspect that any of your credentials have been compromised, you musttake immediate action to limit the impact of the compromise on yourGoogle Cloud account.
Monitor for credential compromise
To monitor for potential compromise, consider the following:
Monitor for suspicious account activity such as privilege escalation andmultiple account creations. Monitor for these activities usingCloud Audit Logs,Policy Intelligence andSecurity Command Center.Use the following Security Command Center services and capabilities:
- Event Threat Detectionto identify threats that are based on administrator activities, Groupschanges, and Identity and Access Management (IAM) permission changes.
- Sensitive ActionsServiceto track actions in your organization, folders, and projects that could bedamaging to your business if they are taken by a malicious actor.
- Cloud Infrastructure Entitlement Management(CIEM) (Preview) to manageaccess for identities and generate findings for misconfigurations.
Monitor user logins inGoogle Workspace andCloud Identity.To better track issues, consider exporting the logs toCloud Logging.
Monitor for secrets in your code repositories, using tools such as Anomaly Detection orsecret scanning.
Monitor for anomalies in service account key usage usingCloud Monitoring or CIEM.
Ensure that your security operations center (SOC) is notified promptly and hasthe playbooks, tools, and access that are required to respond quickly to asuspected credential compromise. Use the Security Command Center Enterprisetierto enable SIEM and SOAR capabilities such as playbooks, response workflows, andautomated actions. You can also integrate Security Command Center with your existingSIEM or import logsinto Google Security Operationsfor further analysis.
Protect your Google Cloud resources from a compromised credential
Complete the steps in the following sections as soon as you can to help protectyour resources if you suspect a credential is compromised.
Revoke and reissue credentials
If you suspect a credential is compromised, revoke and re-issue it. Proceedcarefully to ensure you don't suffer a service outage as a result of revokingcredentials.
In general, to reissue credentials, you generate a new credential, push it toall services and users that need it, and then revoke the old credential.
The following sections provide specific instructions for each type ofcredential.
Replace a service account key
In the Google Cloud console, go to the Service accounts page.
Go to Service accounts
Locate the affected service account.
Create a new key for the service account.
Push the new key to all the locations in which the old key was in use.
Delete the old key.
For more information, see Create serviceaccounts.
Regenerate API keys
In the Google Cloud console, go to the Credentials page.
Go to Credentials
Create a new API key using the Create credentials button. Configure thenew key to be the same as the compromised API key. The restrictions on the APIkey must match; otherwise you might suffer an outage.
Push the API key to all locations in which the old key was in use.
Delete the old key.
For more information, see Authenticate by using APIkeys.
Reset an OAuth2 client ID secret
Changing a client ID secret will cause a temporary outage while thesecret is rotated.
In the Google Cloud console, go to the Credentials page.
Go to Credentials
Select the compromised OAuth2 client ID and edit it.
Click Reset Secret.
Push the new secret to your application.
For more information, see Setting up OAuth2.0 and Using OAuth 2.0 toaccess Google APIs.
Remove Google Cloud CLI credentials as an administrator
As a Google Workspace administrator, remove access to Google Cloud CLI from theuser's list of connected apps. For more information, see View and remove accessto third-partyapplications.
When the user accesses Google Cloud CLI again, it will automatically askthem to re-authorize the application.
Remove Google Cloud CLI credentials as a user
Open the list of apps with access to your Google Account.
Remove Google Cloud CLI from the list of connected apps.
When you access Google Cloud CLI again, it will automatically askyou to re-authorize the application.
Revoke Application Default Credentials as an administrator
If you suspect that an Application Default Credential iscompromised, you can revoke it. This procedure can cause a temporary outageuntil the credentials file is recreated.
As a Google Workspace administrator, remove access to theGoogle Auth Library from the user's list of connected apps. For moreinformation, see View and remove access to third-partyapplications.
Revoke Application Default Credentials as a user
If you suspect that an Application Default Credential that you created iscompromised, you can revoke it. This procedure can cause a temporary outageuntil the credentials file is recreated. This procedure can only be completed bythe owner of the compromised credential.
Install and initialize the Google Cloud CLI, if youhaven'talready.
Authorize gcloud CLI with your user identity, not with a serviceaccount:
gcloud auth loginFor more information, see Authorize the gcloud CLI.
Revoke the credentials:
gcloud auth application-default revokeOptionally, delete the
application_default_credentials.jsonfile. The location depends on youroperating system:- Linux, macOS:
$HOME/.config/gcloud/ - Windows:
%APPDATA%\gcloud\
- Linux, macOS:
Recreate the credentials file:
gcloud auth application-default login
Invalidate browser cookies as an administrator
If you suspect browser cookies are compromised, Google Workspace administratorscan sign a user out of theiraccount.
In addition, immediately force a password change.
These actions invalidate allexisting cookies, and the user is asked to sign in again.
Invalidate browser cookies as a user
If you suspect browser cookies are compromised, sign out of your GoogleAccount and change your password immediately.
These actions invalidate all your existing cookies. The next time you accessGoogle Cloud, you must sign in again.
Look for unauthorized access and resources
After you revoke compromised credentials and restored your service, review allaccess to your Google Cloud resources. You can use Loggingor Security Command Center.
In Logging, complete the following:
Examine your audit logs in theGoogle Cloud console.
Go to Logs Explorer
Search all potentially affected resources, and make sure that allaccount activity (especially related to the compromised credentials) areas expected.
In Security Command Center, complete the following:
In the Google Cloud console, go to the Security Command Center Findings page.
Go to Findings
If necessary, select your Google Cloud project or organization.
In the Quick filters section, click an appropriate filter to displaythe finding that you need in the Findings query results table. Forexample, if you select Event Threat Detection or Container Threat Detectionin the Source display name subsection, only findings from theselected service appear in the results.
The table is populated with findings for the source you selected.
To view details of a specific finding, click the finding name under
Category. The finding details pane expands to display a summaryof the finding's details.To display all findings that were caused by the same user's actions:
- On the finding details pane, copy the email address next toPrincipal email.
- Close the pane.
In Query editor, enter the following query:
access.principal_email="USER_EMAIL"ReplaceUSER_EMAIL with the email address that youpreviously copied.
Security Command Center displays all findings that are associated with actionstaken by the user that you specified.
Delete all unauthorized resources
Make sure that there are no unexpected resources, such as VMs, App Engineapps, service accounts, Cloud Storage buckets, and so forth,that the compromised credential could access.
After you are satisfied that you have identified all unauthorized resources, youcan choose to delete these resources immediately. This is especially importantforCompute Engine resources, because attackers can use compromised accounts toexfiltrate data or otherwisecompromise your production systems.
Alternatively, you can try to isolate unauthorized resources to allow your ownforensics teams to perform additional analysis.
Contact Cloud Customer Care
For help with finding the Google Cloud logs and tools that you require for yourinvestigation and mitigation steps, contact Customer Careand open a support case.
Best practices to avoid compromised credentials
This section describes best practices that you can implement to help you avoidcompromised credentials.
Separate credentials from code
Manage and store your credentials separately from your source code. It isextremely common to accidentally push both credentials and source code to asource management site like GitHub, which makes your credentials vulnerable toattack.
If you are using GitHub or other public repository, you can implement tools suchas AnomalyDetectionor secretscanning,which warns you about exposed secrets in your GitHub repositories. To stop keysfrom being committed to your GitHub repositories, consider using tools such asgit-secrets.
Use secret management solutions such as SecretManager and HashicorpVault to store your secrets, rotate themregularly, and apply least privilege.
Implement service account best practices
To help protect service accounts, review thebest practices for working with service accounts.
Limit session lengths
To force periodic re-authentication, limit the time that sessions remain activefor Google and Google Cloud accounts. For more information, see thefollowing:
Set session length for Google Workspace
Set session length for Google Cloud services
Set session length for Cloud Identity
Use VPC Service Controls to limit access
To limit the impact of compromisedcredentials, create service perimeters using VPC Service Controls. When you configure VPC Service Controls,resources inside the perimeter can only communicate with other resources insidethe perimeter.
