Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckBucketEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0066", Provider: providers.GoogleProvider, Service: "storage", ShortCode: "bucket-encryption-customer-key", Summary: "Cloud Storage buckets should be encrypted with a customer-managed key.", Impact: "Using unmanaged keys does not allow for proper key management.", Resolution: "Encrypt Cloud Storage buckets using customer-managed keys.", Explanation: `Using unmanaged keys makes rotation and general management difficult.`, Links: []string{ "https://cloud.google.com/storage/docs/encryption/customer-managed-keys", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformBucketEncryptionCustomerKeyGoodExamples, BadExamples: terraformBucketEncryptionCustomerKeyBadExamples, Links: terraformBucketEncryptionCustomerKeyLinks, RemediationMarkdown: terraformBucketEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, bucket := range s.Google.Storage.Buckets { if bucket.Metadata.IsUnmanaged() { continue } if bucket.Encryption.DefaultKMSKeyName.IsEmpty() { results.Add( "Storage bucket encryption does not use a customer-managed key.", bucket.Encryption.DefaultKMSKeyName, ) } else { results.AddPassed(&bucket) } } return }, )
View Source
var CheckEnableUbla = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0002", Provider: providers.GoogleProvider, Service: "storage", ShortCode: "enable-ubla", Summary: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled", Impact: "ACLs are difficult to manage and often lead to incorrect/unintended configurations.", Resolution: "Enable uniform bucket level access to provide a uniform permissioning system.", Explanation: `When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. You revoke all access granted by object ACLs and the ability to administrate permissions using bucket ACLs.`, Links: []string{ "https://cloud.google.com/storage/docs/uniform-bucket-level-access", "https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableUblaGoodExamples, BadExamples: terraformEnableUblaBadExamples, Links: terraformEnableUblaLinks, RemediationMarkdown: terraformEnableUblaRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, bucket := range s.Google.Storage.Buckets { if bucket.Metadata.IsUnmanaged() { continue } if bucket.EnableUniformBucketLevelAccess.IsFalse() { results.Add( "Bucket has uniform bucket level access disabled.", bucket.EnableUniformBucketLevelAccess, ) } else { results.AddPassed(&bucket) } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0001", Provider: providers.GoogleProvider, Service: "storage", ShortCode: "no-public-access", Summary: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible.", Impact: "Public exposure of sensitive data.", Resolution: "Restrict public access to the bucket.", Explanation: `Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation.`, Links: []string{ "https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, bucket := range s.Google.Storage.Buckets { for _, binding := range bucket.Bindings { for _, member := range binding.Members { if googleIAMMemberIsExternal(member.Value()) { results.Add( "Bucket allows public access.", member, ) } else { results.AddPassed(member) } } } for _, member := range bucket.Members { if googleIAMMemberIsExternal(member.Member.Value()) { results.Add( "Bucket allows public access.", member.Member, ) } else { results.AddPassed(member.Member) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.