turbot/gcp_compliance

Query: cloudrun_service_restrict_public_access

Usage

powerpipe query gcp_compliance.query.cloudrun_service_restrict_public_access

Steampipe Tables

SQL

with publicly_accessible_cloudrun_services as (
select
self_link,
p,
entity
from
gcp_cloud_run_service,
jsonb_array_elements(iam_policy -> 'bindings') as p,
jsonb_array_elements_text(p -> 'members') as entity
where
entity in ('allAuthenticatedUsers', 'allUsers')
and p ->> 'role' = 'roles/run.invoker'
)
select
f.project as resource,
case
when b.self_link is not null then 'alarm'
else 'ok'
end as status,
case
when b.self_link is not null then f.title || ' publicly accessible.'
else f.title || ' not publicly accessible.'
end as reason
, location as location, project as project
from
gcp_cloud_run_service as f
left join publicly_accessible_cloudrun_services as b on f.self_link = b.self_link;

Controls

The query is being used by the following controls: