github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_folder_level_service_account_impersonation.go (about)

     1  package iam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoFolderLevelServiceAccountImpersonation = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-GCP-0005",
    14  		Provider:    providers.GoogleProvider,
    15  		Service:     "IAM",
    16  		ShortCode:   "no-folder-level-service-account-impersonation",
    17  		Summary:     "Users should not be granted service account access at the folder level",
    18  		Impact:      "Privilege escalation, impersonation of any/all services",
    19  		Resolution:  "Provide access at the service-level instead of folder-level, if required",
    20  		Explanation: `Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.`,
    21  		Links: []string{
    22  			"https://cloud.google.com/iam/docs/impersonating-service-accounts",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformNoFolderLevelServiceAccountImpersonationGoodExamples,
    26  			BadExamples:         terraformNoFolderLevelServiceAccountImpersonationBadExamples,
    27  			Links:               terraformNoFolderLevelServiceAccountImpersonationLinks,
    28  			RemediationMarkdown: terraformNoFolderLevelServiceAccountImpersonationRemediationMarkdown,
    29  		},
    30  		Severity: severity.Medium,
    31  	},
    32  	func(s *state.State) (results scan.Results) {
    33  		for _, folder := range s.Google.IAM.AllFolders() {
    34  			for _, member := range folder.Members {
    35  				if member.Metadata.IsUnmanaged() {
    36  					continue
    37  				}
    38  				if member.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
    39  					results.Add(
    40  						"Service account access is granted to a user at folder level.",
    41  						member.Role,
    42  					)
    43  				} else {
    44  					results.AddPassed(&member)
    45  				}
    46  
    47  			}
    48  			for _, binding := range folder.Bindings {
    49  				if binding.Metadata.IsUnmanaged() {
    50  					continue
    51  				}
    52  				if binding.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
    53  					results.Add(
    54  						"Service account access is granted to a user at folder level.",
    55  						binding.Role,
    56  					)
    57  				} else {
    58  					results.AddPassed(&binding)
    59  				}
    60  
    61  			}
    62  		}
    63  		return
    64  	},
    65  )