GCP API key created
Description
AlphaSOC detected creation of a new GCP API key. API keys provide long-lived credentials that can be used to access GCP services. While API keys have legitimate uses, unauthorized creation may indicate an attacker establishing persistent access.
Impact
API keys are less secure than service account keys as they don't require identity verification. Unauthorized API key creation allows attackers to maintain access to GCP APIs even after their initial access method is revoked. API keys can be shared and used from any location.
Severity
| Severity | Condition |
|---|---|
Informational | GCP API key created |
Investigation and Remediation
Review GCP audit logs to identify the API key creation event. Determine which project the key was created in and what APIs it has access to. Verify the principal that created the key.
If unauthorized, immediately delete the newly created API key. Review API key restrictions to ensure keys are limited to specific APIs and callers. Rotate credentials for the compromised identity and audit IAM policies to restrict API key creation permissions. Consider using more secure authentication methods such as service accounts with short-lived credentials.
Known False Positives
- Application deployments requiring API key access
- Development workflows creating test credentials
- Third-party integrations requiring API access