-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f373bfe
commit 208d7c4
Showing
1 changed file
with
13 additions
and
269 deletions.
There are no files selected for viewing
282 changes: 13 additions & 269 deletions
282
checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,273 +1,17 @@ | ||
| metadata: | ||
| id: "CKV2_GCP_18" | ||
| name: "Mayo Build - SP149 - User accounts are forbidden from directly binding to resources; the user must be a member of a group and bound through the group" | ||
| severity: "medium" | ||
| guidelines: "Do not bind with user: type members. Add users to group and member(s) with group: account type. https://docs.mcc.mayo.edu/docs/mcc/infrastructure-as-code/sentinel#sp149-block-end-user-principle-iam-binding" | ||
| category: "iam" | ||
| scope: | ||
| provider: gcp | ||
| name: "Ensure GCP network defines a firewall and does not use the default firewall" | ||
| category: "NETWORKING" | ||
| definition: | ||
| or: | ||
| - cond_type: "attribute" | ||
| and: | ||
| - cond_type: filter | ||
| value: | ||
| - google_compute_network | ||
| operator: within | ||
| attribute: resource_type | ||
| - cond_type: connection | ||
| operator: exists | ||
| resource_types: | ||
| - google_access_context_manager_access_policy_iam_policy | ||
| - google_apigee_environment_iam_policy | ||
| - google_artifact_registry_repository_iam_policy | ||
| - google_bigquery_analytics_hub_data_exchange_iam_policy | ||
| - google_bigquery_analytics_hub_listing_iam_policy | ||
| - google_bigquery_connection_iam_policy | ||
| - google_bigquery_datapolicy_data_policy_iam_policy | ||
| - google_bigquery_dataset_iam_policy | ||
| - google_bigquery_table_iam_policy | ||
| - google_bigtable_instance_iam_policy | ||
| - google_bigtable_table_iam_policy | ||
| - google_billing_account_iam_policy | ||
| - google_binary_authorization_attestor_iam_policy | ||
| - google_cloud_run_service_iam_policy | ||
| - google_cloud_run_v2_job_iam_policy | ||
| - google_cloud_run_v2_service_iam_policy | ||
| - google_cloud_tasks_queue_iam_policy | ||
| - google_cloudbuildv2_connection_iam_policy | ||
| - google_cloudfunctions_function_iam_policy | ||
| - google_cloudfunctions2_function_iam_policy | ||
| - google_compute_disk_iam_policy | ||
| - google_compute_image_iam_policy | ||
| - google_compute_instance_iam_policy | ||
| - google_compute_region_disk_iam_policy | ||
| - google_compute_snapshot_iam_policy | ||
| - google_compute_subnetwork_iam_policy | ||
| - google_container_analysis_note_iam_policy | ||
| - google_data_catalog_entry_group_iam_policy | ||
| - google_data_catalog_policy_tag_iam_policy | ||
| - google_data_catalog_tag_template_iam_policy | ||
| - google_data_catalog_taxonomy_iam_policy | ||
| - google_data_fusion_instance_iam_policy | ||
| - google_dataplex_asset_iam_policy | ||
| - google_dataplex_datascan_iam_policy | ||
| - google_dataplex_lake_iam_policy | ||
| - google_dataplex_task_iam_policy | ||
| - google_dataplex_zone_iam_policy | ||
| - google_dataproc_autoscaling_policy_iam_policy | ||
| - google_dataproc_cluster_iam_policy | ||
| - google_dataproc_job_iam_policy | ||
| - google_dataproc_metastore_service_iam_policy | ||
| - google_dns_managed_zone_iam_policy | ||
| - google_endpoints_service_consumers_iam_policy | ||
| - google_endpoints_service_iam_policy | ||
| - google_folder_iam_policy | ||
| - google_gke_backup_backup_plan_iam_policy | ||
| - google_gke_backup_restore_plan_iam_policy | ||
| - google_gke_hub_feature_iam_policy | ||
| - google_gke_hub_membership_iam_policy | ||
| - google_gke_hub_scope_iam_policy | ||
| - google_healthcare_consent_store_iam_policy | ||
| - google_healthcare_dataset_iam_policy | ||
| - google_healthcare_dicom_store_iam_policy | ||
| - google_healthcare_fhir_store_iam_policy | ||
| - google_healthcare_hl7_v2_store_iam_policy | ||
| - google_iap_app_engine_service_iam_policy | ||
| - google_iap_app_engine_version_iam_policy | ||
| - google_iap_tunnel_iam_policy | ||
| - google_iap_tunnel_instance_iam_policy | ||
| - google_iap_web_backend_service_iam_policy | ||
| - google_iap_web_iam_policy | ||
| - google_iap_web_region_backend_service_iam_policy | ||
| - google_iap_web_type_app_engine_iam_policy | ||
| - google_iap_web_type_compute_iam_policy | ||
| - google_kms_crypto_key_iam_policy | ||
| - google_kms_key_ring_iam_policy | ||
| - google_notebooks_instance_iam_policy | ||
| - google_notebooks_runtime_iam_policy | ||
| - google_organization_iam_policy | ||
| - google_privateca_ca_pool_iam_policy | ||
| - google_privateca_certificate_template_iam_policy | ||
| - google_project_iam_policy | ||
| - google_pubsub_subscription_iam_policy | ||
| - google_pubsub_topic_iam_policy | ||
| - google_scc_source_iam_policy | ||
| - google_secret_manager_secret_iam_policy | ||
| - google_service_account_iam_policy | ||
| - google_sourcerepo_repository_iam_policy | ||
| - google_spanner_database_iam_policy | ||
| - google_spanner_instance_iam_policy | ||
| - google_storage_bucket_iam_policy | ||
| - google_tags_tag_key_iam_policy | ||
| - google_tags_tag_value_iam_policy | ||
| attribute: "policy_data" | ||
| operator: "not_regex_match" | ||
| value: ".*user:.*" | ||
| - cond_type: "attribute" | ||
| resource_types: | ||
| - google_access_context_manager_access_policy_iam_member | ||
| - google_apigee_environment_iam_member | ||
| - google_artifact_registry_repository_iam_member | ||
| - google_bigquery_analytics_hub_data_exchange_iam_member | ||
| - google_bigquery_analytics_hub_listing_iam_member | ||
| - google_bigquery_connection_iam_member | ||
| - google_bigquery_datapolicy_data_policy_iam_member | ||
| - google_bigquery_dataset_iam_member | ||
| - google_bigquery_table_iam_member | ||
| - google_bigtable_instance_iam_member | ||
| - google_bigtable_table_iam_member | ||
| - google_billing_account_iam_member | ||
| - google_binary_authorization_attestor_iam_member | ||
| - google_cloud_run_service_iam_member | ||
| - google_cloud_run_v2_job_iam_member | ||
| - google_cloud_run_v2_service_iam_member | ||
| - google_cloud_tasks_queue_iam_member | ||
| - google_cloudbuildv2_connection_iam_member | ||
| - google_cloudfunctions_function_iam_member | ||
| - google_cloudfunctions2_function_iam_member | ||
| - google_compute_disk_iam_member | ||
| - google_compute_image_iam_member | ||
| - google_compute_instance_iam_member | ||
| - google_compute_region_disk_iam_member | ||
| - google_compute_snapshot_iam_member | ||
| - google_compute_subnetwork_iam_member | ||
| - google_container_analysis_note_iam_member | ||
| - google_data_catalog_entry_group_iam_member | ||
| - google_data_catalog_policy_tag_iam_member | ||
| - google_data_catalog_tag_template_iam_member | ||
| - google_data_catalog_taxonomy_iam_member | ||
| - google_data_fusion_instance_iam_member | ||
| - google_dataplex_asset_iam_member | ||
| - google_dataplex_datascan_iam_member | ||
| - google_dataplex_lake_iam_member | ||
| - google_dataplex_task_iam_member | ||
| - google_dataplex_zone_iam_member | ||
| - google_dataproc_autoscaling_policy_iam_member | ||
| - google_dataproc_cluster_iam_member | ||
| - google_dataproc_job_iam_member | ||
| - google_dataproc_metastore_service_iam_member | ||
| - google_dns_managed_zone_iam_member | ||
| - google_endpoints_service_consumers_iam_member | ||
| - google_endpoints_service_iam_member | ||
| - google_folder_iam_member | ||
| - google_gke_backup_backup_plan_iam_member | ||
| - google_gke_backup_restore_plan_iam_member | ||
| - google_gke_hub_feature_iam_member | ||
| - google_gke_hub_membership_iam_member | ||
| - google_gke_hub_scope_iam_member | ||
| - google_healthcare_consent_store_iam_member | ||
| - google_healthcare_dataset_iam_member | ||
| - google_healthcare_dicom_store_iam_member | ||
| - google_healthcare_fhir_store_iam_member | ||
| - google_healthcare_hl7_v2_store_iam_member | ||
| - google_iap_app_engine_service_iam_member | ||
| - google_iap_app_engine_version_iam_member | ||
| - google_iap_tunnel_iam_member | ||
| - google_iap_tunnel_instance_iam_member | ||
| - google_iap_web_backend_service_iam_member | ||
| - google_iap_web_iam_member | ||
| - google_iap_web_region_backend_service_iam_member | ||
| - google_iap_web_type_app_engine_iam_member | ||
| - google_iap_web_type_compute_iam_member | ||
| - google_kms_crypto_key_iam_member | ||
| - google_kms_key_ring_iam_member | ||
| - google_notebooks_instance_iam_member | ||
| - google_notebooks_runtime_iam_member | ||
| - google_organization_iam_member | ||
| - google_privateca_ca_pool_iam_member | ||
| - google_privateca_certificate_template_iam_member | ||
| - google_project_iam_member | ||
| - google_pubsub_subscription_iam_member | ||
| - google_pubsub_topic_iam_member | ||
| - google_scc_source_iam_member | ||
| - google_secret_manager_secret_iam_member | ||
| - google_service_account_iam_member | ||
| - google_sourcerepo_repository_iam_member | ||
| - google_spanner_database_iam_member | ||
| - google_spanner_instance_iam_member | ||
| - google_storage_bucket_iam_member | ||
| - google_tags_tag_key_iam_member | ||
| - google_tags_tag_value_iam_member | ||
| attribute: "member" | ||
| operator: "not_starting_with" | ||
| value: "user:" | ||
| - cond_type: "attribute" | ||
| resource_types: | ||
| - google_access_context_manager_access_policy_iam_binding | ||
| - google_apigee_environment_iam_binding | ||
| - google_artifact_registry_repository_iam_binding | ||
| - google_bigquery_analytics_hub_data_exchange_iam_binding | ||
| - google_bigquery_analytics_hub_listing_iam_binding | ||
| - google_bigquery_connection_iam_binding | ||
| - google_bigquery_datapolicy_data_policy_iam_binding | ||
| - google_bigquery_dataset_iam_binding | ||
| - google_bigquery_table_iam_binding | ||
| - google_bigtable_instance_iam_binding | ||
| - google_bigtable_table_iam_binding | ||
| - google_billing_account_iam_binding | ||
| - google_binary_authorization_attestor_iam_binding | ||
| - google_cloud_run_service_iam_binding | ||
| - google_cloud_run_v2_job_iam_binding | ||
| - google_cloud_run_v2_service_iam_binding | ||
| - google_cloud_tasks_queue_iam_binding | ||
| - google_cloudbuildv2_connection_iam_binding | ||
| - google_cloudfunctions_function_iam_binding | ||
| - google_cloudfunctions2_function_iam_binding | ||
| - google_compute_disk_iam_binding | ||
| - google_compute_image_iam_binding | ||
| - google_compute_instance_iam_binding | ||
| - google_compute_region_disk_iam_binding | ||
| - google_compute_snapshot_iam_binding | ||
| - google_compute_subnetwork_iam_binding | ||
| - google_container_analysis_note_iam_binding | ||
| - google_data_catalog_entry_group_iam_binding | ||
| - google_data_catalog_policy_tag_iam_binding | ||
| - google_data_catalog_tag_template_iam_binding | ||
| - google_data_catalog_taxonomy_iam_binding | ||
| - google_data_fusion_instance_iam_binding | ||
| - google_dataplex_asset_iam_binding | ||
| - google_dataplex_datascan_iam_binding | ||
| - google_dataplex_lake_iam_binding | ||
| - google_dataplex_task_iam_binding | ||
| - google_dataplex_zone_iam_binding | ||
| - google_dataproc_autoscaling_policy_iam_binding | ||
| - google_dataproc_cluster_iam_binding | ||
| - google_dataproc_job_iam_binding | ||
| - google_dataproc_metastore_service_iam_binding | ||
| - google_dns_managed_zone_iam_binding | ||
| - google_endpoints_service_consumers_iam_binding | ||
| - google_endpoints_service_iam_binding | ||
| - google_folder_iam_binding | ||
| - google_gke_backup_backup_plan_iam_binding | ||
| - google_gke_backup_restore_plan_iam_binding | ||
| - google_gke_hub_feature_iam_binding | ||
| - google_gke_hub_membership_iam_binding | ||
| - google_gke_hub_scope_iam_binding | ||
| - google_healthcare_consent_store_iam_binding | ||
| - google_healthcare_dataset_iam_binding | ||
| - google_healthcare_dicom_store_iam_binding | ||
| - google_healthcare_fhir_store_iam_binding | ||
| - google_healthcare_hl7_v2_store_iam_binding | ||
| - google_iap_app_engine_service_iam_binding | ||
| - google_iap_app_engine_version_iam_binding | ||
| - google_iap_tunnel_iam_binding | ||
| - google_iap_tunnel_instance_iam_binding | ||
| - google_iap_web_backend_service_iam_binding | ||
| - google_iap_web_iam_binding | ||
| - google_iap_web_region_backend_service_iam_binding | ||
| - google_iap_web_type_app_engine_iam_binding | ||
| - google_iap_web_type_compute_iam_binding | ||
| - google_kms_crypto_key_iam_binding | ||
| - google_kms_key_ring_iam_binding | ||
| - google_notebooks_instance_iam_binding | ||
| - google_notebooks_runtime_iam_binding | ||
| - google_organization_iam_binding | ||
| - google_privateca_ca_pool_iam_binding | ||
| - google_privateca_certificate_template_iam_binding | ||
| - google_project_iam_binding | ||
| - google_pubsub_subscription_iam_binding | ||
| - google_pubsub_topic_iam_binding | ||
| - google_scc_source_iam_binding | ||
| - google_secret_manager_secret_iam_binding | ||
| - google_service_account_iam_binding | ||
| - google_sourcerepo_repository_iam_binding | ||
| - google_spanner_database_iam_binding | ||
| - google_spanner_instance_iam_binding | ||
| - google_storage_bucket_iam_binding | ||
| - google_tags_tag_key_iam_binding | ||
| - google_tags_tag_value_iam_binding | ||
| attribute: "members[?(@ =~ '(?i)^user:')]" | ||
| operator: "jsonpath_not_exists" | ||
| - google_compute_network | ||
| connected_resource_types: | ||
| - google_compute_firewall |