Authentication

API key is not restricted to APIs

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

API keys are used for authentication, they are simple encrypted strings that identify an application without any principal. API key '{GcpApiKey}' is not restricted only to required APIs. In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application

  • Recommended Mitigation

    It is recommended to restrict API keys only to APIs required by the application by setting API restrictions. Make sure to not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud. For more information: https://cloud.google.com/docs/authentication/api-keys

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.