Access Approval Not Enabled in GCP Projects
ID: gcloud-access-approval-not-enabled
Severity: high
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,google-cloud-platform,gcp-cloud-config
Description
Section titled “Description”Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account to allow your explicit approval whenever Google personnel need to access your GCP projects. Once enabled, you can delegate users within your organization to approve access requests through IAM. Requests will show the requester’s name/ID via email or Pub/Sub message for approval.
YAML Source
Section titled “YAML Source”id: gcloud-access-approval-not-enabled
info: name: Access Approval Not Enabled in GCP Projects author: princechaddha severity: high description: | Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account to allow your explicit approval whenever Google personnel need to access your GCP projects. Once enabled, you can delegate users within your organization to approve access requests through IAM. Requests will show the requester's name/ID via email or Pub/Sub message for approval. impact: | If Access Approval is not enabled, unauthorized access by Google personnel may occur without your knowledge, leading to potential security risks and data breaches. remediation: | Enable Access Approval in your GCP projects to create a new control and logging layer that reveals who in your organization approved or denied access requests. reference: - https://cloud.google.com/access-approval/docs/quickstart tags: cloud,devops,gcp,gcloud,google-cloud-platform,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud access-approval settings get --project $projectId --format="json(enrolledServices)"
matchers: - type: word words: - 'null'
extractors: - type: dsl dsl: - '"Access Approval not enabled in Project: " + projectId'# digest: 4b0a0048304602210090096c58b936c5d0b3cdc8ddfe448f87c8813c9a16ea0f2307ab29e0b1627b11022100ebaf5d8d37861aa286f40720b9681596e0cf50ac847b020012a559e676e8b384:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/iam/gcloud-access-approval-not-enabled.yaml"