rspec/rules/S6406/terraform/rule.adoc

Excessive granting of GCP IAM permissions can allow attackers to exploit an
organization's cloud resources with malicious intent.

To prevent improper creation or deletion of resources after an account is
compromised, proactive measures include both following GCP Security Insights
and ensuring custom roles contain as few privileges as possible.

After gaining a foothold in the target infrastructure, sophisticated attacks
typically consist of two major parts. +
First, attackers must deploy new resources to carry out their malicious intent.
To guard against this, operations teams must control what unexpectedly appears
in the infrastructure, such as what is:

* added
* written down
* updated
* started
* appended
* applied
* accessed.

Once the malicious intent is executed, attackers must avoid detection at all
costs. +
To counter attackers' attempts to remove their fingerprints, operations teams
must control what unexpectedly disappears from the infrastructure, such as what
is:

* stopped
* disabled
* canceled
* deleted
* destroyed
* detached
* disconnected
* suspended
* rejected
* removed.

For operations teams to be resilient in this scenario, their organization must
apply both:

* Detection security: log these actions to better detect malicious actions.
* Preventive security: review and limit granted permissions.

This rule raises an issue when a custom role grants a number of sensitive permissions
(read-write or destructive permission) that is greater than a given parameter.

== Ask Yourself Whether

* This custom role will be mostly used for read-only purposes.
* Compliance policies require read-only access.

There is a risk if you answered yes to any of these questions.

== Recommended Secure Coding Practices

To reduce the risks associated with this role after a compromise:

* Reduce the list of permissions to grant only those that are actually needed.
* Favor read-only over read-write.

== Sensitive Code Example

This custom role grants more than 5 sensitive permissions:

[source,terraform]
----
resource "google_project_iam_custom_role" "example" {
  permissions = [ # Sensitive
    "resourcemanager.projects.create", # Sensitive permission
    "resourcemanager.projects.delete", # Sensitive permission
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "run.services.create", # Sensitive permission
    "run.services.delete", # Sensitive permission
    "run.services.get",
    "run.services.getIamPolicy",
    "run.services.setIamPolicy",  # Sensitive permission
    "run.services.list",
    "run.services.update",  # Sensitive permission
  ]
}
----

== Compliant Solution

This custom role grants less than 5 sensitive permissions:

[source,terraform]
----
resource "google_project_iam_custom_role" "example" {
  permissions = [
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "run.services.create",
    "run.services.delete",
    "run.services.get",
    "run.services.getIamPolicy",
    "run.services.list",
    "run.services.update",
  ]
}
----

== See

* https://cloud.google.com/iam/docs/recommender-overview[GCP Docs] - Enforce least privilege with role recommendations
* https://cloud.google.com/iam/docs/manage-policy-insights[GCP Docs] - Security Insights
* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere]

ifdef::env-github,rspecator-view[]

'''

== Implementation Specification
(visible only on this page)

=== Message

* Primary Message: This role grants more than ``max`` sensitive permissions. Make sure they are all required.
* Secondary Message: Sensitive permission: read-write or destructive

=== Parameters

.max
****

----
5
----

Number of sensitive permissions for a custom role.
****

=== Highlighting

Highlight the sensitive list item.

endif::env-github,rspecator-view[]