Benchmark: IAM Policy Public Access
IAM Policy Public Access
Resources should not be publicly accessible through IAM policies as they could expose sensitive data to bad actors. This benchmark evaluates IAM policies across various GCP services to identify resources that are accessible to anyone on the internet.
IAM policies control who has what access to your GCP resources. When resources are made publicly accessible through IAM policies (using allUsers
or allAuthenticatedUsers
), they become available to anyone on the internet, which poses significant security risks. This benchmark helps identify such public access to ensure it aligns with your security requirements.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-perimeter
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select IAM Policy Public Access.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_public_access
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_public_access --share
Controls
- BigQuery dataset policies should prohibit public access
- Cloud Run service policies should prohibit public access
- Compute image policies should prohibit public access
- KMS key policies should prohibit public access
- Pub/Sub snapshot policies should prohibit public access
- Pub/Sub subscription policies should prohibit public access
- Pub/Sub topic policies should prohibit public access
- Storage bucket policies should prohibit public access