turbot/steampipe-mod-gcp-perimeter

Control: Cloud Run service policies should prohibit public access

Description

This control checks whether Cloud Run service IAM policies allow public access through allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.cloud_run_service_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.cloud_run_service_policy_prohibit_public_access --share

Steampipe Tables

SQL

with public_bindings as (
select
self_link,
array_agg(distinct member) as public_members,
count(*) as bindings_num
from
gcp_cloud_run_service,
jsonb_array_elements(iam_policy -> 'bindings') as binding,
jsonb_array_elements_text(binding -> 'members') as member
where
member in ('allUsers', 'allAuthenticatedUsers')
group by
self_link
)
select
r.self_link as resource,
case
when (r.iam_policy -> 'bindings') is null then 'skip'
when p.self_link is null then 'ok'
else 'alarm'
end as status,
case
when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.'
when p.self_link is null then title || ' policy does not allow public access.'
else title || ' policy contains ' || coalesce(p.bindings_num, 0) ||
' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ')
end as reason
, location, project
from
gcp_cloud_run_service as r
left join public_bindings as p on p.self_link = r.self_link

Tags