Authentication

API key is not restricted to APIs

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

API keys are used for authentication, they are simple encrypted strings that identify an application without any principal. API key '{GcpApiKey}' is not restricted only to required APIs. In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application
  • Recommended Mitigation

    It is recommended to restrict API keys only to APIs required by the application by setting API restrictions. Make sure to not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud. For more information: https://cloud.google.com/docs/authentication/api-keys