github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/storage/no_public_access.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/storage/no_public_access.go (about)

     1  package storage
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoPublicAccess = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-GCP-0001",
    14  		Provider:    providers.GoogleProvider,
    15  		Service:     "storage",
    16  		ShortCode:   "no-public-access",
    17  		Summary:     "Ensure that Cloud Storage bucket is not anonymously or publicly accessible.",
    18  		Impact:      "Public exposure of sensitive data.",
    19  		Resolution:  "Restrict public access to the bucket.",
    20  		Explanation: `Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation.`,
    21  		Links: []string{
    22  			"https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformNoPublicAccessGoodExamples,
    26  			BadExamples:         terraformNoPublicAccessBadExamples,
    27  			Links:               terraformNoPublicAccessLinks,
    28  			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
    29  		},
    30  		Severity: severity.High,
    31  	},
    32  	func(s *state.State) (results scan.Results) {
    33  		for _, bucket := range s.Google.Storage.Buckets {
    34  			for _, binding := range bucket.Bindings {
    35  				for _, member := range binding.Members {
    36  					if googleIAMMemberIsExternal(member.Value()) {
    37  						results.Add(
    38  							"Bucket allows public access.",
    39  							member,
    40  						)
    41  					} else {
    42  						results.AddPassed(member)
    43  					}
    44  				}
    45  			}
    46  			for _, member := range bucket.Members {
    47  				if googleIAMMemberIsExternal(member.Member.Value()) {
    48  					results.Add(
    49  						"Bucket allows public access.",
    50  						member.Member,
    51  					)
    52  				} else {
    53  					results.AddPassed(member.Member)
    54  				}
    55  			}
    56  		}
    57  		return
    58  	},
    59  )
    60  
    61  func googleIAMMemberIsExternal(member string) bool {
    62  	return member == "allUsers" || member == "allAuthenticatedUsers"
    63  }