chore(gcp): enhance metadata for apikeys service (#9637)

puchy22 · HugoPBrito · web-flow · commit 6abd5186aa4b · 2026-02-13T10:35:05.000+01:00
Co-authored-by: HugoPBrito &lt;hugopbrit@gmail.com&gt;
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
@@ -21,6 +21,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 - Update Azure Monitor service metadata to new format [(#9622)](https://github.com/prowler-cloud/prowler/pull/9622)
 - Parallelize Cloudflare zone API calls with threading to improve scan performance [(#9982)](https://github.com/prowler-cloud/prowler/pull/9982)
+- Update GCP API Keys service metadata to new format [(#9637)](https://github.com/prowler-cloud/prowler/pull/9637)
 
 ## [5.18.2] (Prowler UNRELEASED)
 
diff --git a/prowler/providers/gcp/services/apikeys/apikeys_api_restrictions_configured/apikeys_api_restrictions_configured.metadata.json b/prowler/providers/gcp/services/apikeys/apikeys_api_restrictions_configured/apikeys_api_restrictions_configured.metadata.json
@@ -1,30 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "apikeys_api_restrictions_configured",
-  "CheckTitle": "Ensure API Keys Are Restricted to Only APIs That Application Needs Access",
+  "CheckTitle": "API key is restricted to specific Google APIs",
   "CheckType": [],
   "ServiceName": "apikeys",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "API Key",
-  "ResourceGroup": "IAM",
-  "Description": "API Keys should only be used for services in cases where other authentication methods are unavailable. If they are in use it is recommended to rotate API keys every 90 days.",
-  "Risk": "Google Cloud Platform (GCP) API keys are simple encrypted strings that don't identify the user or the application that performs the API request. GCP API keys are typically accessible to clients, as they can be viewed publicly from within a browser, making it easy to discover and capture API keys.",
+  "Severity": "high",
+  "ResourceType": "apikeys.googleapis.com/Key",
+  "Description": "Google Cloud API keys have **API restrictions** limiting calls to specific services. The finding checks that keys are restricted to named Google APIs and do not include the broad `cloudapis.googleapis.com`, indicating keys are scoped only to intended use.",
+  "Risk": "Unrestricted keys-or ones allowing `cloudapis.googleapis.com`-expand attack surface. A leaked key can call many APIs without identity, enabling data exposure, unintended changes on permissive endpoints, and **quota/billing exhaustion**, impacting confidentiality, integrity, and availability.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/docs/authentication/api-keys",
+    "https://cloud.google.com/docs/authentication/api-keys-best-practices"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud services api-keys update <KEY_ID> --api-target=service=<SERVICE_NAME>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudAPI/check-for-api-key-api-restrictions.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to APIs & Services > Credentials\n2. Click the API key name to edit it\n3. In API restrictions, select \"Restrict key\"\n4. Choose only the specific API(s) needed (do not select \"All Google APIs\")\n5. Click Save",
+      "Terraform": "```hcl\nresource \"google_apikeys_key\" \"key\" {\n  display_name = \"<example_resource_name>\"\n\n  restrictions {\n    api_targets {\n      service = \"<SERVICE_NAME>\" # Critical: restricts the key to a specific API, removing any \"All Google APIs\" (cloudapis.googleapis.com)\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API and/or Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions. In order to follow cloud security best practices and reduce the attack surface, Google Cloud API keys should be restricted to call only those APIs required by your application.",
-      "Url": "https://cloud.google.com/docs/authentication/api-keys"
+      "Text": "Apply **least privilege**: restrict each API key to only the specific APIs it must access and never include `cloudapis.googleapis.com`. Add **application restrictions** (referrers, IPs, app IDs), rotate keys, and monitor usage. Prefer **service accounts** or short-lived tokens for production as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apikeys_api_restrictions_configured"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets",
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
diff --git a/prowler/providers/gcp/services/apikeys/apikeys_key_exists/apikeys_key_exists.metadata.json b/prowler/providers/gcp/services/apikeys/apikeys_key_exists/apikeys_key_exists.metadata.json
@@ -1,30 +1,34 @@
 {
   "Provider": "gcp",
   "CheckID": "apikeys_key_exists",
-  "CheckTitle": "Ensure API Keys Only Exist for Active Services",
+  "CheckTitle": "Project has no active API keys",
   "CheckType": [],
   "ServiceName": "apikeys",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "API Key",
-  "ResourceGroup": "IAM",
-  "Description": "API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.",
-  "Risk": "Security risks involved in using API-Keys appear below: API keys are simple encrypted strings, API keys do not identify the user or the application making the API request, API keys are typically accessible to clients, making it easy to discover and steal an API key.",
+  "ResourceType": "apikeys.googleapis.com/Key",
+  "Description": "Google Cloud projects are evaluated for **active API keys**. The finding indicates whether any keys exist and are enabled in the project, regardless of restrictions or usage.",
+  "Risk": "Active API keys are **bearer tokens** often exposed in clients and lack **user identity**. Compromise enables unauthorized API calls causing data exposure (C), unauthorized changes (I), quota/service exhaustion (A), and **billing abuse**. Keys can be harvested from code, logs, or intercepted requests.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/docs/authentication/api-keys"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud alpha services api-keys delete",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In the Google Cloud Console, go to APIs & Services > Credentials\n2. In the API keys section, for each key with state Active, click its row > Delete > Confirm\n3. Repeat until no API keys remain in the project\n4. Refresh the page to verify the API keys list is empty",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.",
-      "Url": "https://cloud.google.com/docs/authentication/api-keys"
+      "Text": "Prefer **service accounts** with short-lived credentials or **OAuth 2.0**, enforcing **least privilege**. *If keys are necessary*, restrict by API and application, store them in a secrets manager, rotate and revoke promptly, monitor with alerts as **defense in depth**, and remove unused keys.",
+      "Url": "https://hub.prowler.com/check/apikeys_key_exists"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
diff --git a/prowler/providers/gcp/services/apikeys/apikeys_key_rotated_in_90_days/apikeys_key_rotated_in_90_days.metadata.json b/prowler/providers/gcp/services/apikeys/apikeys_key_rotated_in_90_days/apikeys_key_rotated_in_90_days.metadata.json
@@ -1,30 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "apikeys_key_rotated_in_90_days",
-  "CheckTitle": "Ensure API Keys Are Rotated Every 90 Days",
+  "CheckTitle": "API key was created within the last 90 days",
   "CheckType": [],
   "ServiceName": "apikeys",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "API Key",
-  "ResourceGroup": "IAM",
-  "Description": "API Keys should only be used for services in cases where other authentication methods are unavailable. If they are in use it is recommended to rotate API keys every 90 days.",
-  "Risk": "Once a Google Cloud API key is compromised, it can be used indefinitely unless the project owner revokes or regenerates that key.",
+  "ResourceType": "apikeys.googleapis.com/Key",
+  "Description": "**Google Cloud API keys** are evaluated for **rotation age** using their `creation_time`. Keys created within the last `90` days are treated as recently rotated; keys older than `90` days are treated as overdue.",
+  "Risk": "Stale, long-lived **API keys** are **bearer tokens** without IAM context. If exposed, attackers can invoke allowed APIs, enabling data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and quota/billing abuse or disruption (**availability**). Lack of rotation prolongs misuse.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/docs/authentication/api-keys",
+    "https://cloud.google.com/docs/authentication/api-keys-best-practices"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudAPI/rotate-api-keys.html",
+      "Other": "1. In the Google Cloud Console, go to APIs & Services > Credentials\n2. Under API keys, click the key older than 90 days\n3. Click Rotate key, then click Create to generate the new key\n4. Copy the new key string and update your applications to use it\n5. In the Previous key section, click Delete the previous key\n6. Repeat for any remaining API keys older than 90 days until only keys created within 90 days remain",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure that all your Google Cloud API keys are regularly regenerated (rotated) in order to meet security and compliance requirements. By default, it is recommended to rotate keys every 90 days. Google Cloud Platform (GCP) API keys are simple, encrypted strings that can be used when calling specific APIs that don't need to access private user data. API keys are typically used to track API requests associated with your GCP project for quota and billing. Rotating GCP API keys will substantially reduce the window of opportunity for exploits and ensure that data can't be accessed with an outdated key that might have been lost, cracked, or stolen.",
-      "Url": "https://cloud.google.com/docs/authentication/api-keys"
+      "Text": "Rotate API keys at least every `90` days. Prefer **service accounts** or OAuth with short-lived credentials. Enforce **API** and **application/IP restrictions**. Store keys in a **secrets manager**, avoid client-side embedding, and monitor usage. Apply **least privilege** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apikeys_key_rotated_in_90_days"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
