app_engine_application_iap_enabledaudit_logging_configured_for_all_servicebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_dataset_restrict_gmailbigquery_dataset_restrict_googlegroupsbigquery_table_encrypted_with_cmkcloudfunction_function_no_deployments_manager_permissioncloudfunction_function_no_disrupt_logging_permissioncloudfunction_function_no_ingress_settings_allow_allcloudfunction_function_restrict_public_accesscloudfunction_function_restricted_permissioncloudfunction_function_vpc_connector_enabledcloudrun_service_restrict_public_accesscompute_backend_bucket_no_dangling_storage_bucketcompute_disk_encrypted_with_cskcompute_external_backend_service_iap_enabledcompute_firewall_allow_connections_proxied_by_iapcompute_firewall_allow_tcp_connections_proxied_by_iapcompute_firewall_default_rule_restrict_ingress_access_except_http_and_httpscompute_firewall_rule_ingress_access_restricted_to_dns_port_53compute_firewall_rule_ingress_access_restricted_to_ftp_port_21compute_firewall_rule_ingress_access_restricted_to_http_port_80compute_firewall_rule_ingress_access_restricted_to_microsoft_ds_port_445compute_firewall_rule_ingress_access_restricted_to_mongo_db_port_27017compute_firewall_rule_ingress_access_restricted_to_mysql_db_port_3306compute_firewall_rule_ingress_access_restricted_to_netbios_snn_port_139compute_firewall_rule_ingress_access_restricted_to_oracle_db_port_1521compute_firewall_rule_ingress_access_restricted_to_pop3_port_110compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10250compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10255compute_firewall_rule_ingress_access_restricted_to_postgresql_port_5432compute_firewall_rule_ingress_access_restricted_to_smtp_port_25compute_firewall_rule_ingress_access_restricted_to_telnet_port_23compute_firewall_rule_rdp_access_restrictedcompute_firewall_rule_restrict_ingress_allcompute_firewall_rule_restrict_ingress_all_with_no_specific_targetcompute_firewall_rule_ssh_access_restrictedcompute_https_load_balancer_logging_enabledcompute_instance_block_project_wide_ssh_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_no_data_destruction_permissioncompute_instance_no_database_write_permissioncompute_instance_no_deployments_manager_permissioncompute_instance_no_disrupt_logging_permissioncompute_instance_no_iam_write_permissioncompute_instance_no_service_account_impersonate_permissioncompute_instance_no_write_permission_on_deny_policycompute_instance_oslogin_enabledcompute_instance_preemptible_termination_disabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_template_ip_forwarding_disabledcompute_instance_with_custom_metadatacompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_instance_wth_no_high_level_basic_rolecompute_network_auto_create_subnetwork_enabledcompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_network_dns_logging_enabledcompute_ssl_policy_with_no_weak_ciphercompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_target_https_proxy_quic_protocol_enabledcompute_target_https_proxy_quic_protocol_no_default_ssl_policycompute_target_https_uses_latest_tls_versiondataproc_cluster_encryption_with_cmekdns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_api_key_age_90iam_api_key_restricts_apisiam_api_key_restricts_websites_hosts_appsiam_service_account_gcp_managed_keyiam_service_account_key_age_100iam_service_account_key_age_90iam_service_account_without_admin_privilegeiam_user_denylist_publiciam_user_kms_separation_of_duty_enforcediam_user_not_assigned_service_account_user_role_project_leveliam_user_separation_of_duty_enforcediam_user_uses_corporate_login_credentialskms_key_not_publicly_accessiblekms_key_rotated_within_100_daykms_key_rotated_within_90_daykms_key_separation_of_duties_enforcedkubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_authorization_enabledkubernetes_cluster_client_certificate_authentication_enabledkubernetes_cluster_dashboard_disabledkubernetes_cluster_database_encryption_enabledkubernetes_cluster_http_load_balancing_enabledkubernetes_cluster_incoming_traffic_open_to_allkubernetes_cluster_intra_node_visibility_enabledkubernetes_cluster_kubernetes_alpha_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_logging_enabledkubernetes_cluster_master_authorized_networks_config_enabledkubernetes_cluster_monitoring_enabledkubernetes_cluster_network_policy_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_default_networkkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_node_no_default_service_accountkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_private_nodes_configuredkubernetes_cluster_release_channel_configuredkubernetes_cluster_service_account_defaultkubernetes_cluster_shielded_instance_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_use_ip_aliaseskubernetes_cluster_with_less_than_three_node_auto_upgrade_enabledkubernetes_cluster_with_resource_labelskubernetes_cluster_zone_redundantlogging_bucket_retention_policy_enabledlogging_metric_alert_audit_configuration_changeslogging_metric_alert_custom_role_changeslogging_metric_alert_firewall_rule_changeslogging_metric_alert_network_changeslogging_metric_alert_network_route_changeslogging_metric_alert_project_ownership_assignmentlogging_metric_alert_sql_instance_configuration_changeslogging_metric_alert_storage_iam_permission_changeslogging_sink_configured_for_all_resourcemanual_controlorganization_essential_contacts_configuredproject_access_approval_settings_enabledproject_no_api_keyproject_service_cloudasset_api_enabledproject_service_container_scanning_api_enabledsql_instance_automated_backups_enabledsql_instance_mysql_binary_log_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_not_open_to_internetsql_instance_not_publicly_accessiblesql_instance_postgresql_cloudsql_pgaudit_database_flag_enabledsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_error_verbosity_database_flag_default_or_strictersql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_database_flag_configuredsql_instance_postgresql_log_min_messages_database_flag_errorsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_database_flag_ddlsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_3625_trace_database_flag_onsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_connections_database_flag_configuredsql_instance_sql_user_options_database_flag_not_configuredsql_instance_with_labelssql_instance_with_no_public_ipsstorage_bucket_bucket_policy_only_enabledstorage_bucket_log_retention_policy_enabledstorage_bucket_log_retention_policy_lock_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_uniform_access_enabled
Query: compute_instance_no_service_account_impersonate_permission
Usage
powerpipe query gcp_compliance.query.compute_instance_no_service_account_impersonate_permissionSteampipe Tables
SQL
with role_with_service_account_impersonate_permission as ( select distinct name, project from gcp_iam_role, jsonb_array_elements_text(included_permissions) as p where not is_gcp_managed and p in ('iam.serviceAccounts.getAccessToken', 'iam.serviceAccounts.signBlob', 'iam.serviceAccounts.signJwt', 'iam.serviceAccounts.implicitDelegation', 'iam.serviceAccounts.getOpenIdToken', 'iam.serviceAccounts.actAs') ), policy_with_service_account_impersonate_permission as ( select distinct entity, project from gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entity where p ->> 'role' in ('roles/iam.securityAdmin' ) or p ->> 'role' in (select name from role_with_service_account_impersonate_permission)), compute_instance_with_service_account_impersonate_permission as ( select distinct self_link from gcp_compute_instance as i, jsonb_array_elements(service_accounts) as e left join policy_with_service_account_impersonate_permission as b on b.entity = concat('serviceAccount:' || (e ->> 'email')) where b.entity is not null)select i.self_link as resource, case when p.self_link is not null then 'alarm' else 'ok' end as status, case when p.self_link is not null then i.title || ' allow service account impersonate permission.' else i.title || ' restrict service account impersonate permission.' end as reason , location as location, project as projectfrom gcp_compute_instance as i left join compute_instance_with_service_account_impersonate_permission as p on p.self_link = i.self_link;Controls
The query is being used by the following controls: