Ensure GCP Container Registry repositories are not anonymously or publicly accessible

Error: GCP Container Registry repositories are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_17
Checkov Check ID: CKV2_GCP_9
Severity: HIGH

GCP Container Registry repositories are anonymously or publicly accessible

Description

Google Container Registry (GCR) is a GCP service that contains repositories for your container images. A GCR repo is publicly accessible if the host location's underlying storage bucket is publicly accessible because GCR images are stored in GCS. Public GCR repositories can put your data at risk of exposure and should be adjusted to a more secure configuration (private).

We recommend you ensure that neither anonymous or public access to GCR Repositories is allowed.

Fix - Runtime

GCP Console

To remove anonymous or public access to your GCR repositories:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to GCR Settings.
  3. Under Public access locate the repositories that say PUBLIC under the Visibility column.
  4. Select the dropdown and switch to PRIVATE.

CLI Command

To remove anonymous or public access to your GCR repositories use the gsutil command:

gsutil iam ch -d PRINCIPAL gs://BUCKET-NAME

Replace PRINCIPAL with either allUsers or allAuthenticatedUsers depending on your Checkov alert. Replace BUCKET-NAME with the GCS bucket where your images are stored.

The BUCKET-NAME can be determined by executing gsutil ls and your Container Registry bucket URL will be listed as gs://artifacts.PROJECT-ID.appspot.com or gs://STORAGE-REGION.artifacts.PROJECT-ID.appspot.com. PROJECT-ID and STORAGE-REGION will be replaced with your GCP project ID or the region where your GCR repository is configured.

Fix - Buildtime

Terraform

  • Resource: google_storage_bucket_iam_binding

  • Field: members

  • Resource: google_storage_bucket_iam_member

  • Field: member

Google Container Registry (GCR) does not have IAM-specific resources in Terraform. Instead, GCR IAM is handled via GCS IAM resources as seen in the below examples.

resource "google_storage_bucket_iam_binding" "gcr_public_binding" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.viewer"

  members = [
-    "allUsers",
-    "allAuthenticatedUsers",
  ]
}
resource "google_artifact_registry_repository_iam_member" "public_member" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/artifactregistry.writer"

-  member = "allUsers"
-  member = "allAuthenticatedUsers"
}
resource "google_storage_bucket_iam_member" "gcr_public_member" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.viewer"

-  member = "allUsers"
-  member = "allAuthenticatedUsers"
}