Description

This rule fails when a GCP API key has not been rotated for more than 90 days. API keys are long-lived shared secrets; rotating them on a fixed cadence limits the window during which a leaked or stolen key can be abused.

Remediation

Replace the flagged key by creating a new key, updating clients to use the new value, and then deleting the old key. From the API Keys page in the Google Cloud Console choose Create credentials → API key, copy the new key, swap it into application configs, then return to the same page and delete the original key. The same flow with gcloud:

gcloud services api-keys create --display-name="my-app-key"
gcloud services api-keys delete OLD_KEY_ID

Wherever possible, replace API key authentication with service accounts, workload identity federation, or OAuth — these support short-lived credentials and remove the need for manual rotation.

References

• CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 1.15
• Best practices for using API keys