Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Prevent public users from having access to resources via IAM

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.denylist_public_users

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.denylist_public_users --share

SQL

This control uses a named query:

with user_with_acces as (
  select
    distinct project
  from
    gcp_iam_policy,
    jsonb_array_elements(bindings) as b,
    jsonb_array_elements_text(b -> 'members') as m
  where
    m like 'allUsers'
)
select
  a.project as resource,
  case
    when b.project is null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.project is null then 'No public users have access to resources via IAM.'
    else 'Public users have access to resources via IAM.'
  end as reason
  , a.project as project
from
  gcp_iam_policy as a
  left join user_with_acces as b on a.project = b.project;

Tags

category = Compliance
cft_scorecard_v1 = true
forseti_security_v226 = true
plugin = gcp
service = GCP/IAM
severity = high