Control: Cloud Run service should restrict public access

Description

This control ensures that Cloud Run service is not publicly accessible.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cloudrun_service_restrict_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cloudrun_service_restrict_public_access --share

SQL

This control uses a named query:

with publicly_accessible_cloudrun_services as (
  select
    self_link,
    p,
    entity
  from
    gcp_cloud_run_service,
    jsonb_array_elements(iam_policy -> 'bindings') as p,
    jsonb_array_elements_text(p -> 'members') as entity
  where
    entity in ('allAuthenticatedUsers', 'allUsers')
    and p ->> 'role' = 'roles/run.invoker'
)
select
  f.project as resource,
  case
    when b.self_link is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when b.self_link is not null then f.title || ' publicly accessible.'
    else f.title || ' not publicly accessible.'
  end as reason
  
  , location as location, project as project
from
  gcp_cloud_run_service as f
  left join publicly_accessible_cloudrun_services as b on f.self_link = b.self_link;

Control: Cloud Run service should restrict public access

Description

Usage

SQL

Tags