Control: Cloud Run service policies should prohibit public access
Description
This control checks whether Cloud Run service IAM policies allow public access through allUsers or allAuthenticatedUsers.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.cloud_run_service_policy_prohibit_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.cloud_run_service_policy_prohibit_public_access --shareSteampipe Tables
SQL
with public_bindings as ( select self_link, array_agg(distinct member) as public_members, count(*) as bindings_num from gcp_cloud_run_service, jsonb_array_elements(iam_policy -> 'bindings') as binding, jsonb_array_elements_text(binding -> 'members') as member where member in ('allUsers', 'allAuthenticatedUsers') group by self_link ) select r.self_link as resource, case when (r.iam_policy -> 'bindings') is null then 'skip' when p.self_link is null then 'ok' else 'alarm' end as status, case when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.' when p.self_link is null then title || ' policy does not allow public access.' else title || ' policy contains ' || coalesce(p.bindings_num, 0) || ' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ') end as reason , location, project from gcp_cloud_run_service as r left join public_bindings as p on p.self_link = r.self_link