Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableUbla = rules.Register( rules.Rule{ AVDID: "AVD-GCP-0002", Provider: providers.GoogleProvider, Service: "storage", ShortCode: "enable-ubla", Summary: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled", Impact: "ACLs are difficult to manage and often lead to incorrect/unintended configurations.", Resolution: "Enable uniform bucket level access to provide a uniform permissioning system.", Explanation: `When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. You revoke all access granted by object ACLs and the ability to administrate permissions using bucket ACLs.`, Links: []string{ "https://cloud.google.com/storage/docs/uniform-bucket-level-access", "https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformEnableUblaGoodExamples, BadExamples: terraformEnableUblaBadExamples, Links: terraformEnableUblaLinks, RemediationMarkdown: terraformEnableUblaRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, bucket := range s.Google.Storage.Buckets { if bucket.IsUnmanaged() { continue } if bucket.EnableUniformBucketLevelAccess.IsFalse() { results.Add( "Bucket has uniform bucket level access disabled.", bucket.EnableUniformBucketLevelAccess, ) } else { results.AddPassed(&bucket) } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( rules.Rule{ AVDID: "AVD-GCP-0001", Provider: providers.GoogleProvider, Service: "storage", ShortCode: "no-public-access", Summary: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible.", Impact: "Public exposure of sensitive data.", Resolution: "Restrict public access to the bucket.", Explanation: `Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation.`, Links: []string{ "https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, bucket := range s.Google.Storage.Buckets { for _, binding := range bucket.Bindings { for _, member := range binding.Members { if googleIAMMemberIsExternal(member.Value()) { results.Add( "Bucket allows public access.", member, ) } else { results.AddPassed(member) } } } for _, member := range bucket.Members { if googleIAMMemberIsExternal(member.Member.Value()) { results.Add( "Bucket allows public access.", member.Member, ) } else { results.AddPassed(member.Member) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.