Ensure GCP Container Registry repositories are not anonymously or publicly accessible
Error: GCP Container Registry repositories are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_17
Checkov Check ID: CKV2_GCP_9
Severity: HIGH
GCP Container Registry repositories are anonymously or publicly accessible
Description
Google Container Registry (GCR) is a GCP service that contains repositories for your container images. A GCR repo is publicly accessible if the host location's underlying storage bucket is publicly accessible because GCR images are stored in GCS. Public GCR repositories can put your data at risk of exposure and should be adjusted to a more secure configuration (private).
We recommend you ensure that neither anonymous or public access to GCR Repositories is allowed.
Fix - Runtime
GCP Console
To remove anonymous or public access to your GCR repositories:
- Log in to the GCP Console at https://console.cloud.google.com.
- Navigate to GCR Settings.
- Under Public access locate the repositories that say PUBLIC under the Visibility column.
- Select the dropdown and switch to PRIVATE.
CLI Command
To remove anonymous or public access to your GCR repositories use the gsutil
command:
gsutil iam ch -d PRINCIPAL gs://BUCKET-NAME
Replace PRINCIPAL with either allUsers or allAuthenticatedUsers depending on your Checkov alert. Replace BUCKET-NAME with the GCS bucket where your images are stored.
The BUCKET-NAME can be determined by executing gsutil ls
and your Container Registry bucket URL will be listed as gs://artifacts.PROJECT-ID.appspot.com
or gs://STORAGE-REGION.artifacts.PROJECT-ID.appspot.com
. PROJECT-ID and STORAGE-REGION will be replaced with your GCP project ID or the region where your GCR repository is configured.
Fix - Buildtime
Terraform
-
Resource: google_storage_bucket_iam_binding
-
Field: members
-
Resource: google_storage_bucket_iam_member
-
Field: member
Google Container Registry (GCR) does not have IAM-specific resources in Terraform. Instead, GCR IAM is handled via GCS IAM resources as seen in the below examples.
resource "google_storage_bucket_iam_binding" "gcr_public_binding" {
bucket = google_storage_bucket.default.name
role = "roles/storage.viewer"
members = [
- "allUsers",
- "allAuthenticatedUsers",
]
}
resource "google_artifact_registry_repository_iam_member" "public_member" {
provider = google-beta
location = google_artifact_registry_repository.my-repo.location
repository = google_artifact_registry_repository.my-repo.name
role = "roles/artifactregistry.writer"
- member = "allUsers"
- member = "allAuthenticatedUsers"
}
resource "google_storage_bucket_iam_member" "gcr_public_member" {
bucket = google_storage_bucket.default.name
role = "roles/storage.viewer"
- member = "allUsers"
- member = "allAuthenticatedUsers"
}
Updated 6 months ago