Control: Cloudfunction functions should restrict public access
Description
This control ensures that Cloudfunction function is not publicly accessible.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cloudfunction_function_restrict_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cloudfunction_function_restrict_public_access --shareSQL
This control uses a named query:
with publicly_accessible_functions as ( select self_link from gcp_cloudfunctions_function, jsonb_array_elements(iam_policy -> 'bindings') as p, jsonb_array_elements_text(p -> 'members') as entity where entity in ('allAuthenticatedUsers', 'allUsers'))select f.project as resource, case when b.self_link is not null then 'alarm' else 'ok' end as status, case when b.self_link is not null then f.title || ' publicly accessible.' else f.title || ' not publicly accessible.' end as reason , location as location, project as projectfrom gcp_cloudfunctions_function as f left join publicly_accessible_functions as b on f.self_link = b.self_link;