github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_user_granted_permissions.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckNoUserGrantedPermissions = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0003", 14 Provider: providers.GoogleProvider, 15 Service: "iam", 16 ShortCode: "no-user-granted-permissions", 17 Summary: "IAM granted directly to user.", 18 Impact: "Users shouldn't have permissions granted to them directly", 19 Resolution: "Roles should be granted permissions and assigned to users", 20 Explanation: `Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user. 21 22 Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource. 23 24 Permissions should be granted on roles, groups, services accounts instead.`, 25 Links: []string{ 26 "https://cloud.google.com/iam/docs/overview#permissions", 27 "https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy", 28 }, 29 Terraform: &scan.EngineMetadata{ 30 GoodExamples: terraformNoUserGrantedPermissionsGoodExamples, 31 BadExamples: terraformNoUserGrantedPermissionsBadExamples, 32 Links: terraformNoUserGrantedPermissionsLinks, 33 RemediationMarkdown: terraformNoUserGrantedPermissionsRemediationMarkdown, 34 }, 35 Severity: severity.Medium, 36 }, 37 func(s *state.State) (results scan.Results) { 38 for _, project := range s.Google.IAM.AllProjects() { 39 for _, member := range project.Members { 40 if member.Metadata.IsUnmanaged() { 41 continue 42 } 43 if member.Member.StartsWith("user:") { 44 results.Add( 45 "Permissions are granted directly to a user.", 46 member.Role, 47 ) 48 } else { 49 results.AddPassed(&member) 50 } 51 52 } 53 for _, binding := range project.Bindings { 54 for _, member := range binding.Members { 55 if member.StartsWith("user:") { 56 results.Add( 57 "Permissions are granted directly to a user.", 58 binding.Role, 59 ) 60 } else { 61 results.AddPassed(member) 62 } 63 64 } 65 } 66 } 67 68 for _, folder := range s.Google.IAM.AllFolders() { 69 for _, member := range folder.Members { 70 if member.Metadata.IsUnmanaged() { 71 continue 72 } 73 if member.Member.StartsWith("user:") { 74 results.Add( 75 "Permissions are granted directly to a user.", 76 member.Role, 77 ) 78 } else { 79 results.AddPassed(&member) 80 } 81 82 } 83 for _, binding := range folder.Bindings { 84 for _, member := range binding.Members { 85 if member.StartsWith("user:") { 86 results.Add( 87 "Permissions are granted directly to a user.", 88 binding.Role, 89 ) 90 } else { 91 results.AddPassed(member) 92 } 93 94 } 95 } 96 } 97 98 for _, org := range s.Google.IAM.Organizations { 99 for _, member := range org.Members { 100 if member.Metadata.IsUnmanaged() { 101 continue 102 } 103 if member.Member.StartsWith("user:") { 104 results.Add( 105 "Permissions are granted directly to a user.", 106 member.Role, 107 ) 108 } else { 109 results.AddPassed(&member) 110 } 111 112 } 113 for _, binding := range org.Bindings { 114 for _, member := range binding.Members { 115 if member.StartsWith("user:") { 116 results.Add( 117 "Permissions are granted directly to a user.", 118 binding.Role, 119 ) 120 } else { 121 results.AddPassed(member) 122 } 123 124 } 125 } 126 } 127 128 return 129 }, 130 )