GCP Cloud Function is publicly accessible
Description
This policy is checking to ensure that cloud functions are not set as public. It falls under the category of Application Security. The rationale behind this check is that making cloud functions public exposes them to potential unauthorized access. This can lead to misuse or exploitation of the functions, potentially causing disruption to services, data breaches, or other security incidents. Therefore, it is crucial to ensure that only authorized entities have access to these functions for the purpose of maintaining robust security.
Code Example
hcl
resource "google_cloudfunctions2_function_iam_binding" "fail" {
project = google_cloudfunctions_function.pikey.project
region = google_cloudfunctions_function.pikey.region
cloud_function = google_cloudfunctions_function.pikey.name
role = "roles/viewer"
members = [
- "allUsers",
]
}Remediation
Terraform
- Resource: "google_cloudfunctions_function_iam_member", "google_cloudfunctions_function_iam_binding" "google_cloudfunctions2_function_iam_member", "google_cloudfunctions2_function_iam_binding"
- Arguments: member, members
To fix this issue, you need to ensure that the access control is set to allow only specific services or accounts to invoke the function.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0965 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_107 |