770348d041
* Add check for security standard mismatch * Fix security standard mismatches * Fix Resources/Standards links for secrets rules * Fix check * Fix links and update security standard mapping * Fix maintanability issue * Apply review suggestions * Apply suggestions from code review Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Fix typo Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
146 lines
4.2 KiB
Plaintext
146 lines
4.2 KiB
Plaintext
Granting highly privileged resource rights to users or groups can reduce an
|
|
organization's ability to protect against account or service theft. It prevents
|
|
proper segregation of duties and creates potentially critical attack vectors on
|
|
affected resources.
|
|
|
|
If elevated access rights are abused or compromised, both the data that the
|
|
affected resources work with and their access tracking are at risk.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* This GCP resource is essential to the information system infrastructure.
|
|
* This GCP resource is essential to mission-critical functions.
|
|
* Compliance policies require that administrative privileges for this resource be limited to a small group of individuals.
|
|
|
|
There is a risk if you answered yes to any of these questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Grant IAM policies or members a less permissive role: In most cases, granting
|
|
them read-only privileges is sufficient.
|
|
|
|
Separate tasks by creating multiple roles that do not use a full access role
|
|
for day-to-day work.
|
|
|
|
If the predefined GCP roles do not include the specific permissions you need,
|
|
create https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role[custom IAM roles].
|
|
|
|
== Sensitive Code Example
|
|
|
|
For an IAM policy setup:
|
|
[source,terraform]
|
|
----
|
|
data "google_iam_policy" "admin" {
|
|
binding {
|
|
role = "roles/run.admin" # Sensitive
|
|
members = [
|
|
"user:name@example.com",
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "google_cloud_run_service_iam_policy" "policy" {
|
|
location = google_cloud_run_service.default.location
|
|
project = google_cloud_run_service.default.project
|
|
service = google_cloud_run_service.default.name
|
|
policy_data = data.google_iam_policy.admin.policy_data
|
|
}
|
|
----
|
|
|
|
For an IAM policy binding:
|
|
[source,terraform]
|
|
----
|
|
resource "google_cloud_run_service_iam_binding" "example" {
|
|
location = google_cloud_run_service.default.location
|
|
project = google_cloud_run_service.default.project
|
|
service = google_cloud_run_service.default.name
|
|
role = "roles/run.admin" # Sensitive
|
|
members = [
|
|
"user:name@example.com",
|
|
]
|
|
}
|
|
----
|
|
|
|
For adding a member to a policy:
|
|
[source,terraform]
|
|
----
|
|
resource "google_cloud_run_service_iam_member" "example" {
|
|
location = google_cloud_run_service.default.location
|
|
project = google_cloud_run_service.default.project
|
|
service = google_cloud_run_service.default.name
|
|
role = "roles/run.admin" # Sensitive
|
|
member = "user:name@example.com"
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For an IAM policy setup:
|
|
[source,terraform]
|
|
----
|
|
data "google_iam_policy" "admin" {
|
|
binding {
|
|
role = "roles/viewer"
|
|
members = [
|
|
"user:name@example.com",
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "google_cloud_run_service_iam_policy" "example" {
|
|
location = google_cloud_run_service.default.location
|
|
project = google_cloud_run_service.default.project
|
|
service = google_cloud_run_service.default.name
|
|
policy_data = data.google_iam_policy.admin.policy_data
|
|
}
|
|
----
|
|
|
|
For an IAM policy binding:
|
|
[source,terraform]
|
|
----
|
|
resource "google_cloud_run_service_iam_binding" "example" {
|
|
location = google_cloud_run_service.default.location
|
|
project = google_cloud_run_service.default.project
|
|
service = google_cloud_run_service.default.name
|
|
role = "roles/viewer"
|
|
members = [
|
|
"user:name@example.com",
|
|
]
|
|
}
|
|
----
|
|
|
|
For adding a member to a policy:
|
|
[source,terraform]
|
|
----
|
|
resource "google_cloud_run_service_iam_member" "example" {
|
|
location = google_cloud_run_service.default.location
|
|
project = google_cloud_run_service.default.project
|
|
service = google_cloud_run_service.default.name
|
|
role = "roles/viewer"
|
|
member = "user:name@example.com"
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* For a policy: Make sure it is safe to give all future members full access to this resource.
|
|
* For a binding: Make sure it is safe to give those members full access to the resource.
|
|
* For a member add: Make sure it is safe to grant that member full access to the resource.
|
|
* For the rest: Make sure it is safe to grant full access to the resource.
|
|
|
|
=== Highlighting
|
|
|
|
Highlight the full role assignment. In lists, highlight the non-compliant item.
|
|
|
|
endif::env-github,rspecator-view[]
|