IAM policy defines public access
Description
Allowing public access is generally a bad practice in security terms, as it can potentially expose sensitive data or functionality. Without proper access controls in place, unauthorized users could potentially gain access to secure areas, manipulate data, invoke functions, or even take control of the system or resources. This policy ensures that public access is not permitted, thereby maintaining a tighter control over who can interact with the system.
Code Example
go
resource "google_project_iam_policy" "project" {
project = "your-project-id"
policy_data = "${data.google_iam_policy.admin.policy_data}"
}
data "google_iam_policy" "admin" {
binding {
role = "roles/storage.objectViewer"
members = [
"user:individual-email",
"serviceAccount:service-account-email",
]
}
}Remediation
Terraform
- Resource: google_iam_policy
- Arguments: binding
Instead of using 'allUsers' or 'allAuthenticatedUsers' which grants permissions to any user on the internet, specific user, role, or service account should be given permissions.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0971 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_113 |