GCP Dataproc clusters are anonymously or publicly accessible
Description
Code Example
shell
{
"gcloud dataproc clusters get-iam-policy CLUSTER-ID \\
--format json > policy.json",
}Remediation
- GCP Console*
To remove anonymous or public access for Dataproc clusters:
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/dataproc/clusters [Clusters].
. Select the target * Dataproc cluster*.
. Expand the Info Panel by selecting * Show Info Panel*.
. To remove a specific role assignment, select * allUsers* or * allAuthenticatedUsers*, and then click * Remove member*.
- CLI Command*
To remove access for * allUsers* and * allAuthenticatedUsers*, you need to first get the Dataproc cluster's existing IAM policy. To retrieve the existing policy and copy it to a local file:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0956 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_98 |