Control: Cloud Run service policies should prohibit public access

Description

This control checks whether Cloud Run service IAM policies allow public access through allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.cloud_run_service_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.cloud_run_service_policy_prohibit_public_access --share

Steampipe Tables

gcp_cloud_run_service

SQL

    with public_bindings as (
      select
        self_link,
        array_agg(distinct member) as public_members,
        count(*) as bindings_num
      from
        gcp_cloud_run_service,
        jsonb_array_elements(iam_policy -> 'bindings') as binding,
        jsonb_array_elements_text(binding -> 'members') as member
      where
        member in ('allUsers', 'allAuthenticatedUsers')
      group by
        self_link
    )
    select
      r.self_link as resource,
      case
        when (r.iam_policy -> 'bindings') is null then 'skip'
        when p.self_link is null then 'ok'
        else 'alarm'
      end as status,
      case
        when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.'
        when p.self_link is null then title || ' policy does not allow public access.'
        else title || ' policy contains ' || coalesce(p.bindings_num, 0) ||
        ' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ')
      end as reason
      
      , location, project
    from
      gcp_cloud_run_service as r
      left join public_bindings as p on p.self_link = r.self_link

Control: Cloud Run service policies should prohibit public access

Description

Usage

Steampipe Tables

SQL

Tags