terraform.gcp.security.gcp-folder-impersonation-roles-iam-binding.gcp-folder-impersonation-roles-iam-binding

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-folder-impersonation-roles-iam-binding
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_folder_iam_binding" "..." {
          ...
          role = "roles/editor"
          members = [ ... ]
          ...
          }
    message: "Ensure no roles that enable to impersonate and manage all service
      accounts are used at a folder level\t"
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

gcp-folder-impersonation-roles-iam-binding.tf

# fail
# ruleid: gcp-folder-impersonation-roles-iam-binding
resource "google_folder_iam_binding" "fail1" {
    folder  = "folders/1234567"
    role    = "roles/editor"

    members = [
    "user:jane@example.com",
    "serviceAccount:test-compute@appspot.gserviceaccount.com",
    ]
}

# ok: gcp-folder-impersonation-roles-iam-binding
resource "google_folder_iam_binding" "success1" {
    folder  = "folders/1234567"
    role    = "roles/other"

    members = [
    "user:jane@example.com",
    ]
}