Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
GCP
Loading policies...

Policy: GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From CLI: List All the service accounts: gcloud iam service-accounts list Identify user managed service accounts as such account EMAIL ends with iam.gserviceaccount.com For each user managed Service Account, list the keys managed by the user: No keys should be listed.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

Targets

This policy targets the following resource types:

  • GCP > IAM > Service Account Key

Primary Policy

This policy is used with the following primary policy:

  • GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)

Controls

Setting this policy configures this control:

  • GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)

Policy Specification

Schema Type
string

Category

  • CIS > Controls v7 > 16 Account Monitoring and Control

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/v0716
    • Policy Type URI
    • tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation
    • GraphQL
    • query policyType(id: "tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
39
Mods
130
Resource Types
2,226
Policies
1,100
Controls
35
Quick Actions
83
IAM