Control: Pub/Sub subscription policies should prohibit public access

Description

This control checks whether Pub/Sub subscription policies allow public access through allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.pubsub_subscription_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.pubsub_subscription_policy_prohibit_public_access --share

Steampipe Tables

gcp_pubsub_subscription

SQL

    with public_bindings as (
      select
        name,
        array_agg(distinct member) as public_members,
        count(*) as bindings_num
      from
        gcp_pubsub_subscription,
        jsonb_array_elements(iam_policy -> 'bindings') as binding,
        jsonb_array_elements_text(binding -> 'members') as member
      where
        member in ('allUsers', 'allAuthenticatedUsers')
      group by
        name
    )
    select
      r.name as resource,
      case
        when (r.iam_policy -> 'bindings') is null then 'skip'
        when p.name is null then 'ok'
        else 'alarm'
      end as status,
      case
        when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.'
        when p.name is null then title || ' policy does not allow public access.'
        else title || ' policy contains ' || coalesce(p.bindings_num, 0) ||
        ' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ')
      end as reason
      
      , location, project
    from
      gcp_pubsub_subscription as r
      left join public_bindings as p on p.name = r.name

Control: Pub/Sub subscription policies should prohibit public access

Description

Usage

Steampipe Tables

SQL

Tags