artifact_registry_repository_encrypted_with_kms_cmkartifact_registry_repository_not_publicly_accessiblebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_table_deletion_protection_enabledbigquery_table_encrypted_with_cmkbigquery_table_not_publicly_accessiblebigtable_instance_deletion_protection_enabledbigtable_instance_encrypted_with_kms_cmkcloudbuild_workers_use_private_ipcloudfunction_not_publicly_accessiblecloudrun_not_publicly_accessiblecompute_disk_encrypted_with_cskcompute_firewall_allow_ftp_port_20_ingresscompute_firewall_allow_ftp_port_21_ingresscompute_firewall_allow_http_port_80_ingresscompute_firewall_allow_mysql_port_3306_ingresscompute_firewall_allow_rdp_port_3389_ingresscompute_firewall_allow_ssh_port_22_ingresscompute_instance_block_project_wide_ssh_enabledcompute_instance_boot_disk_encryption_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_oslogin_enabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_security_policy_prevent_message_lookupcompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_subnetwork_private_ipv6_google_accessdataflow_encrypted_with_kms_cmkdataflow_job_not_publicly_accessibledatafusion_instance_not_publicly_accessibledatafusion_instance_stackdriver_logging_enableddatafusion_instance_stackdriver_monitoring_enableddataproc_cluster_encrypted_with_kms_cmkdataproc_cluster_not_publicly_accessibledataproc_cluster_public_ip_disableddns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_folder_impersonation_roleiam_folder_use_basic_roleiam_folder_use_default_service_roleiam_organization_impersonation_roleiam_organization_use_basic_roleiam_organization_use_default_service_roleiam_project_impersonation_roleiam_project_no_service_account_token_creator_roleiam_project_use_basic_roleiam_project_use_default_service_roleiam_service_account_gcp_managed_keyiam_service_account_no_admin_priviledgeiam_workload_identity_restrictedkms_key_not_publicly_accessiblekms_key_prevent_destroy_enabledkms_key_rotated_within_100_daykms_key_rotated_within_90_daykubernetes_cluster_alias_ip_range_enabledkubernetes_cluster_authenticator_group_configuredkubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_auth_enabledkubernetes_cluster_client_certificate_authentication_disabledkubernetes_cluster_control_plane_restrict_public_accesskubernetes_cluster_cos_node_imagekubernetes_cluster_intranodal_visibility_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_master_authorized_network_enabledkubernetes_cluster_metadata_server_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_cluster_level_node_poolkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_release_channel_configuredkubernetes_cluster_resource_label_configuredkubernetes_cluster_shielded_node_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_stackdriver_logging_enabledkubernetes_cluster_stackdriver_monitoring_enabledlogging_bucket_retention_policy_enabledpubsub_topic_encrypted_with_kms_cmkpubsub_topic_repository_not_publicly_accessibleredis_instance_auth_enabledredis_instance_encryption_in_transit_enabledspanner_database_deletion_protection_enabledspanner_database_drop_protection_enabledspanner_database_encrypted_with_kms_cmksql_instance_automated_backups_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_flag_setsql_instance_postgresql_log_min_messages_flag_setsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_flag_setsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_postgresql_pgaudit_database_flag_onsql_instance_publicly_accessiblesql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_options_database_flag_not_configuredsql_instance_sql_with_no_public_ipsql_instance_using_latest_major_database_versionstorage_bucket_logging_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_public_access_prevention_enforcedstorage_bucket_self_logging_disabledstorage_bucket_uniform_access_enabledstorage_bucket_versioning_enabledvertex_ai_dataset_encrypted_with_cmkvertex_ai_notebook_instance_restrict_public_access
Query: iam_organization_impersonation_role
Usage
powerpipe query terraform_gcp_compliance.query.iam_organization_impersonation_role
Steampipe Tables
SQL
select address as resource, case when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/iam.securityAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountKeyAdmin', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator', 'roles/iam.workloadIdentityUser', 'roles/dataproc.editor', 'roles/dataproc.admin', 'roles/dataflow.developer', 'roles/resourcemanager.folderAdmin', 'roles/resourcemanager.folderIamAdmin', 'roles/resourcemanager.projectIamAdmin', 'roles/resourcemanager.organizationAdmin', 'roles/serverless.serviceAgent', 'roles/dataproc.serviceAgent']) then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/iam.securityAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountKeyAdmin', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator', 'roles/iam.workloadIdentityUser', 'roles/dataproc.editor', 'roles/dataproc.admin', 'roles/dataflow.developer', 'roles/resourcemanager.folderAdmin', 'roles/resourcemanager.folderIamAdmin', 'roles/resourcemanager.projectIamAdmin', 'roles/resourcemanager.organizationAdmin', 'roles/serverless.serviceAgent', 'roles/dataproc.serviceAgent']) then ' impersonates or manages Service Accounts' else ' does not impersonate or manage Service Accounts' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type in ('google_organization_iam_member', 'google_organization_iam_binding');
Controls
The query is being used by the following controls: