turbot/steampipe-mod-gcp-perimeter

Control: Pub/Sub subscription policies should prohibit public access

Description

This control checks whether Pub/Sub subscription policies allow public access through allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.pubsub_subscription_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.pubsub_subscription_policy_prohibit_public_access --share

Steampipe Tables

SQL

with public_bindings as (
select
name,
array_agg(distinct member) as public_members,
count(*) as bindings_num
from
gcp_pubsub_subscription,
jsonb_array_elements(iam_policy -> 'bindings') as binding,
jsonb_array_elements_text(binding -> 'members') as member
where
member in ('allUsers', 'allAuthenticatedUsers')
group by
name
)
select
r.name as resource,
case
when (r.iam_policy -> 'bindings') is null then 'skip'
when p.name is null then 'ok'
else 'alarm'
end as status,
case
when (r.iam_policy -> 'bindings') is null then title || ' does not have a defined IAM policy.'
when p.name is null then title || ' policy does not allow public access.'
else title || ' policy contains ' || coalesce(p.bindings_num, 0) ||
' binding(s) that allow public access: ' || array_to_string(p.public_members, ', ')
end as reason
, location, project
from
gcp_pubsub_subscription as r
left join public_bindings as p on p.name = r.name

Tags