Control: Compute image policies should prohibit public access
Description
This control checks whether Compute image IAM policies allow public access through allUsers or allAuthenticatedUsers.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.compute_image_policy_prohibit_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.compute_image_policy_prohibit_public_access --shareSteampipe Tables
SQL
with public_bindings as ( select name, array_agg(distinct member) as public_members, count(*) as bindings_num from gcp_compute_image, jsonb_array_elements(iam_policy -> 'bindings') as binding, jsonb_array_elements_text(binding -> 'members') as member where member in ('allUsers', 'allAuthenticatedUsers') group by name ) select r.name as resource, case when (r.iam_policy -> 'bindings') is null then 'skip' when p.name is null then 'ok' else 'alarm' end as status, case when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.' when p.name is null then title || ' policy does not allow public access.' else title || ' policy contains ' || coalesce(p.bindings_num, 0) || ' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ') end as reason , location, project from gcp_compute_image as r left join public_bindings as p on p.name = r.name