From 208d7c428e37005316626b29a689a7cf69322f8f Mon Sep 17 00:00:00 2001 From: lirshindalman Date: Thu, 28 Nov 2024 17:31:58 +0200 Subject: [PATCH] . --- .../GCPNetworkDoesNotUseDefaultFirewall.yaml | 282 +----------------- 1 file changed, 13 insertions(+), 269 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml b/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml index 318dfc801c2..033b7c63583 100644 --- a/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml +++ b/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml @@ -1,273 +1,17 @@ metadata: id: "CKV2_GCP_18" - name: "Mayo Build - SP149 - User accounts are forbidden from directly binding to resources; the user must be a member of a group and bound through the group" - severity: "medium" - guidelines: "Do not bind with user: type members. Add users to group and member(s) with group: account type. https://docs.mcc.mayo.edu/docs/mcc/infrastructure-as-code/sentinel#sp149-block-end-user-principle-iam-binding" - category: "iam" -scope: - provider: gcp + name: "Ensure GCP network defines a firewall and does not use the default firewall" + category: "NETWORKING" definition: - or: - - cond_type: "attribute" + and: + - cond_type: filter + value: + - google_compute_network + operator: within + attribute: resource_type + - cond_type: connection + operator: exists resource_types: - - google_access_context_manager_access_policy_iam_policy - - google_apigee_environment_iam_policy - - google_artifact_registry_repository_iam_policy - - google_bigquery_analytics_hub_data_exchange_iam_policy - - google_bigquery_analytics_hub_listing_iam_policy - - google_bigquery_connection_iam_policy - - google_bigquery_datapolicy_data_policy_iam_policy - - google_bigquery_dataset_iam_policy - - google_bigquery_table_iam_policy - - google_bigtable_instance_iam_policy - - google_bigtable_table_iam_policy - - google_billing_account_iam_policy - - google_binary_authorization_attestor_iam_policy - - google_cloud_run_service_iam_policy - - google_cloud_run_v2_job_iam_policy - - google_cloud_run_v2_service_iam_policy - - google_cloud_tasks_queue_iam_policy - - google_cloudbuildv2_connection_iam_policy - - google_cloudfunctions_function_iam_policy - - google_cloudfunctions2_function_iam_policy - - google_compute_disk_iam_policy - - google_compute_image_iam_policy - - google_compute_instance_iam_policy - - google_compute_region_disk_iam_policy - - google_compute_snapshot_iam_policy - - google_compute_subnetwork_iam_policy - - google_container_analysis_note_iam_policy - - google_data_catalog_entry_group_iam_policy - - google_data_catalog_policy_tag_iam_policy - - google_data_catalog_tag_template_iam_policy - - google_data_catalog_taxonomy_iam_policy - - google_data_fusion_instance_iam_policy - - google_dataplex_asset_iam_policy - - google_dataplex_datascan_iam_policy - - google_dataplex_lake_iam_policy - - google_dataplex_task_iam_policy - - google_dataplex_zone_iam_policy - - google_dataproc_autoscaling_policy_iam_policy - - google_dataproc_cluster_iam_policy - - google_dataproc_job_iam_policy - - google_dataproc_metastore_service_iam_policy - - google_dns_managed_zone_iam_policy - - google_endpoints_service_consumers_iam_policy - - google_endpoints_service_iam_policy - - google_folder_iam_policy - - google_gke_backup_backup_plan_iam_policy - - google_gke_backup_restore_plan_iam_policy - - google_gke_hub_feature_iam_policy - - google_gke_hub_membership_iam_policy - - google_gke_hub_scope_iam_policy - - google_healthcare_consent_store_iam_policy - - google_healthcare_dataset_iam_policy - - google_healthcare_dicom_store_iam_policy - - google_healthcare_fhir_store_iam_policy - - google_healthcare_hl7_v2_store_iam_policy - - google_iap_app_engine_service_iam_policy - - google_iap_app_engine_version_iam_policy - - google_iap_tunnel_iam_policy - - google_iap_tunnel_instance_iam_policy - - google_iap_web_backend_service_iam_policy - - google_iap_web_iam_policy - - google_iap_web_region_backend_service_iam_policy - - google_iap_web_type_app_engine_iam_policy - - google_iap_web_type_compute_iam_policy - - google_kms_crypto_key_iam_policy - - google_kms_key_ring_iam_policy - - google_notebooks_instance_iam_policy - - google_notebooks_runtime_iam_policy - - google_organization_iam_policy - - google_privateca_ca_pool_iam_policy - - google_privateca_certificate_template_iam_policy - - google_project_iam_policy - - google_pubsub_subscription_iam_policy - - google_pubsub_topic_iam_policy - - google_scc_source_iam_policy - - google_secret_manager_secret_iam_policy - - google_service_account_iam_policy - - google_sourcerepo_repository_iam_policy - - google_spanner_database_iam_policy - - google_spanner_instance_iam_policy - - google_storage_bucket_iam_policy - - google_tags_tag_key_iam_policy - - google_tags_tag_value_iam_policy - attribute: "policy_data" - operator: "not_regex_match" - value: ".*user:.*" - - cond_type: "attribute" - resource_types: - - google_access_context_manager_access_policy_iam_member - - google_apigee_environment_iam_member - - google_artifact_registry_repository_iam_member - - google_bigquery_analytics_hub_data_exchange_iam_member - - google_bigquery_analytics_hub_listing_iam_member - - google_bigquery_connection_iam_member - - google_bigquery_datapolicy_data_policy_iam_member - - google_bigquery_dataset_iam_member - - google_bigquery_table_iam_member - - google_bigtable_instance_iam_member - - google_bigtable_table_iam_member - - google_billing_account_iam_member - - google_binary_authorization_attestor_iam_member - - google_cloud_run_service_iam_member - - google_cloud_run_v2_job_iam_member - - google_cloud_run_v2_service_iam_member - - google_cloud_tasks_queue_iam_member - - google_cloudbuildv2_connection_iam_member - - google_cloudfunctions_function_iam_member - - google_cloudfunctions2_function_iam_member - - google_compute_disk_iam_member - - google_compute_image_iam_member - - google_compute_instance_iam_member - - google_compute_region_disk_iam_member - - google_compute_snapshot_iam_member - - google_compute_subnetwork_iam_member - - google_container_analysis_note_iam_member - - google_data_catalog_entry_group_iam_member - - google_data_catalog_policy_tag_iam_member - - google_data_catalog_tag_template_iam_member - - google_data_catalog_taxonomy_iam_member - - google_data_fusion_instance_iam_member - - google_dataplex_asset_iam_member - - google_dataplex_datascan_iam_member - - google_dataplex_lake_iam_member - - google_dataplex_task_iam_member - - google_dataplex_zone_iam_member - - google_dataproc_autoscaling_policy_iam_member - - google_dataproc_cluster_iam_member - - google_dataproc_job_iam_member - - google_dataproc_metastore_service_iam_member - - google_dns_managed_zone_iam_member - - google_endpoints_service_consumers_iam_member - - google_endpoints_service_iam_member - - google_folder_iam_member - - google_gke_backup_backup_plan_iam_member - - google_gke_backup_restore_plan_iam_member - - google_gke_hub_feature_iam_member - - google_gke_hub_membership_iam_member - - google_gke_hub_scope_iam_member - - google_healthcare_consent_store_iam_member - - google_healthcare_dataset_iam_member - - google_healthcare_dicom_store_iam_member - - google_healthcare_fhir_store_iam_member - - google_healthcare_hl7_v2_store_iam_member - - google_iap_app_engine_service_iam_member - - google_iap_app_engine_version_iam_member - - google_iap_tunnel_iam_member - - google_iap_tunnel_instance_iam_member - - google_iap_web_backend_service_iam_member - - google_iap_web_iam_member - - google_iap_web_region_backend_service_iam_member - - google_iap_web_type_app_engine_iam_member - - google_iap_web_type_compute_iam_member - - google_kms_crypto_key_iam_member - - google_kms_key_ring_iam_member - - google_notebooks_instance_iam_member - - google_notebooks_runtime_iam_member - - google_organization_iam_member - - google_privateca_ca_pool_iam_member - - google_privateca_certificate_template_iam_member - - google_project_iam_member - - google_pubsub_subscription_iam_member - - google_pubsub_topic_iam_member - - google_scc_source_iam_member - - google_secret_manager_secret_iam_member - - google_service_account_iam_member - - google_sourcerepo_repository_iam_member - - google_spanner_database_iam_member - - google_spanner_instance_iam_member - - google_storage_bucket_iam_member - - google_tags_tag_key_iam_member - - google_tags_tag_value_iam_member - attribute: "member" - operator: "not_starting_with" - value: "user:" - - cond_type: "attribute" - resource_types: - - google_access_context_manager_access_policy_iam_binding - - google_apigee_environment_iam_binding - - google_artifact_registry_repository_iam_binding - - google_bigquery_analytics_hub_data_exchange_iam_binding - - google_bigquery_analytics_hub_listing_iam_binding - - google_bigquery_connection_iam_binding - - google_bigquery_datapolicy_data_policy_iam_binding - - google_bigquery_dataset_iam_binding - - google_bigquery_table_iam_binding - - google_bigtable_instance_iam_binding - - google_bigtable_table_iam_binding - - google_billing_account_iam_binding - - google_binary_authorization_attestor_iam_binding - - google_cloud_run_service_iam_binding - - google_cloud_run_v2_job_iam_binding - - google_cloud_run_v2_service_iam_binding - - google_cloud_tasks_queue_iam_binding - - google_cloudbuildv2_connection_iam_binding - - google_cloudfunctions_function_iam_binding - - google_cloudfunctions2_function_iam_binding - - google_compute_disk_iam_binding - - google_compute_image_iam_binding - - google_compute_instance_iam_binding - - google_compute_region_disk_iam_binding - - google_compute_snapshot_iam_binding - - google_compute_subnetwork_iam_binding - - google_container_analysis_note_iam_binding - - google_data_catalog_entry_group_iam_binding - - google_data_catalog_policy_tag_iam_binding - - google_data_catalog_tag_template_iam_binding - - google_data_catalog_taxonomy_iam_binding - - google_data_fusion_instance_iam_binding - - google_dataplex_asset_iam_binding - - google_dataplex_datascan_iam_binding - - google_dataplex_lake_iam_binding - - google_dataplex_task_iam_binding - - google_dataplex_zone_iam_binding - - google_dataproc_autoscaling_policy_iam_binding - - google_dataproc_cluster_iam_binding - - google_dataproc_job_iam_binding - - google_dataproc_metastore_service_iam_binding - - google_dns_managed_zone_iam_binding - - google_endpoints_service_consumers_iam_binding - - google_endpoints_service_iam_binding - - google_folder_iam_binding - - google_gke_backup_backup_plan_iam_binding - - google_gke_backup_restore_plan_iam_binding - - google_gke_hub_feature_iam_binding - - google_gke_hub_membership_iam_binding - - google_gke_hub_scope_iam_binding - - google_healthcare_consent_store_iam_binding - - google_healthcare_dataset_iam_binding - - google_healthcare_dicom_store_iam_binding - - google_healthcare_fhir_store_iam_binding - - google_healthcare_hl7_v2_store_iam_binding - - google_iap_app_engine_service_iam_binding - - google_iap_app_engine_version_iam_binding - - google_iap_tunnel_iam_binding - - google_iap_tunnel_instance_iam_binding - - google_iap_web_backend_service_iam_binding - - google_iap_web_iam_binding - - google_iap_web_region_backend_service_iam_binding - - google_iap_web_type_app_engine_iam_binding - - google_iap_web_type_compute_iam_binding - - google_kms_crypto_key_iam_binding - - google_kms_key_ring_iam_binding - - google_notebooks_instance_iam_binding - - google_notebooks_runtime_iam_binding - - google_organization_iam_binding - - google_privateca_ca_pool_iam_binding - - google_privateca_certificate_template_iam_binding - - google_project_iam_binding - - google_pubsub_subscription_iam_binding - - google_pubsub_topic_iam_binding - - google_scc_source_iam_binding - - google_secret_manager_secret_iam_binding - - google_service_account_iam_binding - - google_sourcerepo_repository_iam_binding - - google_spanner_database_iam_binding - - google_spanner_instance_iam_binding - - google_storage_bucket_iam_binding - - google_tags_tag_key_iam_binding - - google_tags_tag_value_iam_binding - attribute: "members[?(@ =~ '(?i)^user:')]" - operator: "jsonpath_not_exists" \ No newline at end of file + - google_compute_network + connected_resource_types: + - google_compute_firewall \ No newline at end of file