access_context_manager_access_level_deletedaccess_context_manager_policy_deletedactivity_dashboard_logs_by_actoractivity_dashboard_logs_by_eventactivity_dashboard_logs_by_projectactivity_dashboard_logs_by_serviceactivity_dashboard_logs_by_source_ipactivity_dashboard_logs_by_typeactivity_dashboard_total_logsapigee_security_action_disabledapp_engine_firewall_ingress_rule_createdapp_engine_firewall_ingress_rule_deletedapp_engine_firewall_ingress_rule_updatedartifact_registry_package_deletedartifact_registry_repository_deletedcloud_run_function_deletedcompute_disk_iam_policy_setcompute_firewall_rule_deletedcompute_image_iam_policy_setcompute_instance_with_public_network_interfacecompute_snapshot_iam_policy_setcompute_subnetwork_flow_logs_disabledcompute_vpn_tunnel_deleteddlp_reidentify_contentdns_managed_zone_deleteddns_managed_zone_updateddns_record_set_deleteddns_record_set_updatediam_organization_policy_updatediam_owner_role_policy_setiam_service_account_access_token_generatediam_service_account_creatediam_service_account_deletediam_service_account_disablediam_service_account_key_creatediam_service_account_key_deletediam_service_account_token_creator_role_assignedlogging_bucket_deletedlogging_sink_deletedmonitoring_alert_policy_deletedmonitoring_metric_descriptor_deletedresource_manager_iam_policy_setsecurity_command_center_notification_config_deletedsql_ssl_certificate_deletedsql_user_deletedstorage_bucket_iam_permission_granted_public_accessstorage_bucket_iam_permission_set
Query: storage_bucket_iam_permission_granted_public_access
Usage
powerpipe query gcp_audit_log_detections.query.storage_bucket_iam_permission_granted_public_accessTailpipe Tables
SQL
with policy as( select *, unnest(from_json((service_data -> 'policyDelta' -> 'bindingDeltas'), '["JSON"]')) as bindings from gcp_audit_log where method_name ilike 'storage.setiampermissions')select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from policywhere (bindings ->> 'member') = 'allUsers' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;
Detections
The query is being used by the following detections: