How does EchelonGraph detect CIS GCP 1.5 violations?

EchelonGraph automatically detects CIS GCP 1.5 violations using scanner rule GCP-IAM-005. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 1.5?

How many user-managed service account keys exist? What is the business justification for each key? Have you evaluated keyless authentication for each use case? Where are service account keys stored and how are they protected?

🔷CIS GCP 1.5Rule: GCP-IAM-005medium

Ensure user-managed service account keys are eliminated

Description

Prefer Workload Identity Federation or attached service accounts over user-managed keys.

⚠️ Risk Impact

User-managed keys can be leaked in code repositories, logs, or configuration files. They provide long-lived credentials that are difficult to track.

🔍 How EchelonGraph Detects This

GCP-IAM-005Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Migrate to Workload Identity Federation for external workloads or use attached service accounts for GCP workloads.

💀 Real-World Attack Scenario

A developer committed a GCP service account JSON key to a public GitHub repository. Automated scanners detected the key within 30 seconds of the push. The attacker used the key to spin up 200 GPU instances for cryptocurrency mining, running up $42,000 in charges before the billing alert triggered at the $50K threshold.

💰 Cost of Non-Compliance

GitHub reports scanning 100M+ commits/month and finding thousands of GCP keys. Average cost of leaked cloud credentials: $150K-$500K in unauthorized resource usage. Samsung 2022: leaked AWS keys in public repo led to source code theft.

📋 Audit Questions

1.How many user-managed service account keys exist?
2.What is the business justification for each key?
3.Have you evaluated keyless authentication for each use case?
4.Where are service account keys stored and how are they protected?

🎯 MITRE ATT&CK Mapping

T1552.001 — Credentials in FilesT1552 — Unsecured Credentials

🏗️ Infrastructure as Code Fix

main.tf

# For GKE workloads, use Workload Identity:
resource "google_service_account" "app" {
  account_id   = "app-sa"
  display_name = "App Service Account"
}
resource "google_service_account_iam_binding" "workload_identity" {
  service_account_id = google_service_account.app.name
  role               = "roles/iam.workloadIdentityUser"
  members = ["serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.ksa_name}]"]
}

⚡ Common Pitfalls

⛔Assuming attached service accounts work for all use cases (they don't for on-prem)
⛔Not scanning CI/CD logs for accidentally printed key material
⛔Creating temporary keys for debugging and forgetting to delete them

📈 Business Value

Eliminating user-managed keys removes the most exploited credential type in cloud breaches. Zero-key architectures reduce operational burden (no rotation needed) and eliminate an entire category of secrets management complexity.

⏱️ Effort Estimate

Manual

2-5 days to inventory all keys and migrate to keyless auth per project

With EchelonGraph

EchelonGraph identifies all user-managed keys and recommends keyless alternatives

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.9.4.3

Automate CIS GCP 1.5 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →