Ensure GCP Cloud Run services are not anonymously or publicly accessible

Error: GCP Cloud Run services are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_30
Checkov Check ID: CKV_GCP_102
Severity: MEDIUM

GCP Cloud Run services are anonymously or publicly accessible

Description

Cloud Run services are fully managed serverless environments used to develop and deploy containerized applications. In GCP, Cloud Run services support a wide variety of authentication methods to execute (invoke) the container. One of those methods is based to the usage of two special IAM principals: allUsers and allAuthenticatedUsers. When those IAM principals have access to the Cloud Run service - anyone on the internet can execute or access the Cloud Run service.

We recommend you ensure that neither anonymous or public access to Cloud Run services are allowed.

Fix - Runtime

GCP Console

To remove anonymous or public access to your Cloud Run service:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Cloud Run.
  3. View your service's Service details page by clicking on your Service Name.
  4. Select the PERMISSIONS tab.
  5. To remove a specific role assignment, select allUsers or allAuthenticatedUsers, and then click Delete.

CLI Command

To remove anonymous or public access to your Cloud Run service execute the following command:

gcloud run services remove-iam-policy-binding SERVICE-NAME \
    --member=MEMBER-TYPE \
    --role=ROLE

Replace SERVICE-NAME with your Cloud Run service name. Replace MEMBER-TYPE with the member you want to delete (either allUsers or allAuthenticatedUsers). Replace ROLE the IAM member's assigned role.

Fix - Buildtime

Terraform

  • Resource: google_cloud_run_service_iam_binding

  • Field: members

  • Resource: google_cloud_run_service_iam_member

  • Field: member

resource "google_cloud_run_service_iam_binding" "public_binding" {
  location = google_cloud_run_service.default.location
  service = google_cloud_run_service.default.name
  role = "roles/run.invoker"

  members = [
-    "allUsers",
-    "allAuthenticatedUsers",
  ]
}

resource "google_cloud_run_service_iam_member" "public_member" {
  location = google_cloud_run_service.default.location
  service = google_cloud_run_service.default.name
  role = "roles/run.invoker"

-  member = "allUsers"
-  member = "allAuthenticatedUsers"
}