Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible

Error: GCP Artifact Registry repositories are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_15
Checkov Check ID: CKV_GCP_101
Severity: HIGH

GCP Artifact Registry repositories are anonymously or publicly accessible

Description

Artifact Registry is a service that stores artifacts and build dependencies for your GCP applications. Artifact registry repositories can contain sensitive credentials that are baked into containers, personal data (like PII), or confidential data that you may not want publicly accessible. Repositories can be made anonymously or publicly accessible via IAM policies containing the IAM members allUsers or allAuthenticatedUsers.

We recommend you ensure that neither anonymous or public access to Artifact Registry repositories is allowed.

Fix - Runtime

GCP Console

To remove anonymous or public access for your Artifact Registry repository:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Repositories.
  3. Select the target Artifact Registry repository.
  4. Expand the Info Panel by selecting Show Info Panel.
  5. To remove a specific role assignment, select allUsers or allAuthenticatedUsers, and then click Remove member.

CLI Command

To remove anonymous or public access for your Artifact Registry repositories use the following command:

gcloud artifacts repositories remove-iam-policy-binding REPOSITORY  \
  --member=MEMBER  \
  --role=ROLE

Replace REPOSITORY with your repository ID. Replace MEMBER with allUsers or allAuthenticatedUsers depending on your Checkov alert. Replace ROLE with the member's role.

Fix - Buildtime

Terraform

  • Resource: google_artifact_registry_repository_iam_binding

  • Field: members

  • Resource: google_storage_bucket_iam_member

  • Field: member

resource "google_artifact_registry_repository_iam_binding" "public_binding" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/artifactregistry.writer"

  members = [
-    "allUsers",
-    "allAuthenticatedUsers",
  ]
}
resource "google_artifact_registry_repository_iam_member" "public_member" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/artifactregistry.writer"

-  member = "allUsers"
-  member = "allAuthenticatedUsers"
}