Minimize the Use of Primitive Roles

ID: gcloud-iam-primitive-roles

Severity: medium

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,google-cloud-iam,gcp-cloud-config

Description

For production and security-critical cloud environments, limit the use of primitive roles such as “Owner”, “Editor”, and “Viewer” for Cloud IAM members. Instead, grant predefined roles to these IAM members to allow the least-permissive access required to perform their tasks (i.e., Principle of Least Privilege – POLP).

YAML Source

id: gcloud-iam-primitive-roles

info:
  name: Minimize the Use of Primitive Roles
  author: princechaddha
  severity: medium
  description: |
    For production and security-critical cloud environments, limit the use of primitive roles such as "Owner", "Editor", and "Viewer" for Cloud IAM members. Instead, grant predefined roles to these IAM members to allow the least-permissive access required to perform their tasks (i.e., Principle of Least Privilege – POLP).
  impact: |
    Using primitive roles can lead to overly broad access and potential security vulnerabilities, as these roles can grant extensive permissions across a wide range of resources.
  remediation: |
    Replace primitive roles with predefined or custom roles tailored to the specific needs of the users and the minimum permissions they require to perform their tasks.
  reference:
    - https://cloud.google.com/iam/docs/understanding-roles
  tags: cloud,devops,gcp,gcloud,google-cloud-iam,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let binding of iterate(template.bindings)){
      set("binding", binding)
      javascript(1)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud projects get-iam-policy $projectId --format=json

    extractors:
      - type: json
        name: bindings
        internal: true
        json:
          - '.bindings[]'

javascript:
  - code: |
      let binding = JSON.parse(template.binding);
      let role = binding.role;
      let members = binding.members.join(", ");
      let projectId = template.projectId;
      let primitiveRoles = ["roles/owner", "roles/editor", "roles/viewer"];
      if (primitiveRoles.includes(role)) {
        Export("Primitive role " + role + " used by members " + members + " in Project " + projectId);
      }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a0047304502205cf38271366363518d970f52193b701bfdc523d4c6f168904610c6a2f989a1a8022100ba66f34ff86fbb9934c0bf144f8ea021d9ada3ba99c0cb29f5847ef4e3f3996d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "cloud/gcp/iam/gcloud-iam-primitive-roles.yaml"

View on Github