Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible
Error: GCP Artifact Registry repositories are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_15
Checkov Check ID: CKV_GCP_101
Severity: HIGH
GCP Artifact Registry repositories are anonymously or publicly accessible
Description
Artifact Registry is a service that stores artifacts and build dependencies for your GCP applications. Artifact registry repositories can contain sensitive credentials that are baked into containers, personal data (like PII), or confidential data that you may not want publicly accessible. Repositories can be made anonymously or publicly accessible via IAM policies containing the IAM members allUsers or allAuthenticatedUsers.
We recommend you ensure that neither anonymous or public access to Artifact Registry repositories is allowed.
Fix - Runtime
GCP Console
To remove anonymous or public access for your Artifact Registry repository:
- Log in to the GCP Console at https://console.cloud.google.com.
- Navigate to Repositories.
- Select the target Artifact Registry repository.
- Expand the Info Panel by selecting Show Info Panel.
- To remove a specific role assignment, select allUsers or allAuthenticatedUsers, and then click Remove member.
CLI Command
To remove anonymous or public access for your Artifact Registry repositories use the following command:
gcloud artifacts repositories remove-iam-policy-binding REPOSITORY \
--member=MEMBER \
--role=ROLE
Replace REPOSITORY with your repository ID. Replace MEMBER with allUsers or allAuthenticatedUsers depending on your Checkov alert. Replace ROLE with the member's role.
Fix - Buildtime
Terraform
-
Resource: google_artifact_registry_repository_iam_binding
-
Field: members
-
Resource: google_storage_bucket_iam_member
-
Field: member
resource "google_artifact_registry_repository_iam_binding" "public_binding" {
provider = google-beta
location = google_artifact_registry_repository.my-repo.location
repository = google_artifact_registry_repository.my-repo.name
role = "roles/artifactregistry.writer"
members = [
- "allUsers",
- "allAuthenticatedUsers",
]
}
resource "google_artifact_registry_repository_iam_member" "public_member" {
provider = google-beta
location = google_artifact_registry_repository.my-repo.location
repository = google_artifact_registry_repository.my-repo.name
role = "roles/artifactregistry.writer"
- member = "allUsers"
- member = "allAuthenticatedUsers"
}
Updated 6 months ago