github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_project_level_service_account_impersonation.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_project_level_service_account_impersonation.go (about)

     1  package iam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoProjectLevelServiceAccountImpersonation = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-GCP-0011",
    14  		Provider:    providers.GoogleProvider,
    15  		Service:     "iam",
    16  		ShortCode:   "no-project-level-service-account-impersonation",
    17  		Summary:     "Users should not be granted service account access at the project level",
    18  		Impact:      "Privilege escalation, impersonation of any/all services",
    19  		Resolution:  "Provide access at the service-level instead of project-level, if required",
    20  		Explanation: `Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.`,
    21  		Links: []string{
    22  			"https://cloud.google.com/iam/docs/impersonating-service-accounts",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformNoProjectLevelServiceAccountImpersonationGoodExamples,
    26  			BadExamples:         terraformNoProjectLevelServiceAccountImpersonationBadExamples,
    27  			Links:               terraformNoProjectLevelServiceAccountImpersonationLinks,
    28  			RemediationMarkdown: terraformNoProjectLevelServiceAccountImpersonationRemediationMarkdown,
    29  		},
    30  		Severity: severity.Medium,
    31  	},
    32  	func(s *state.State) (results scan.Results) {
    33  		for _, project := range s.Google.IAM.AllProjects() {
    34  			for _, member := range project.Members {
    35  				if member.Metadata.IsUnmanaged() {
    36  					continue
    37  				}
    38  				if member.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
    39  					results.Add(
    40  						"Service account access is granted to a user at project level.",
    41  						member.Role,
    42  					)
    43  				} else {
    44  					results.AddPassed(&member)
    45  				}
    46  			}
    47  			for _, binding := range project.Bindings {
    48  				if binding.Metadata.IsUnmanaged() {
    49  					continue
    50  				}
    51  				if binding.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
    52  					results.Add(
    53  						"Service account access is granted to a user at project level.",
    54  						binding.Role,
    55  					)
    56  				} else {
    57  					results.AddPassed(&binding)
    58  				}
    59  
    60  			}
    61  		}
    62  		return
    63  	},
    64  )