Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS 4.01: Ensure that instances are not configured to use the default… #244

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

CIS 4.01: Ensure that instances are not configured to use the default… #244

wants to merge 2 commits into from

Conversation

charliewolf
Copy link
Contributor

… service account with full access to all Cloud APIs

@charliewolf
CIS 4.01: Ensure that instances are not configured to use the default…
c6a0c8e 
… service account with full access to all Cloud APIs
katze120
katze120 reviewed Jan 6, 2020
View reviewed changes
validator/compute_default_service_account.rego

scope == "https://www.googleapis.com/auth/cloud-platform"

message := sprintf("Instance %v has default service account with full access to all Cloud APIs.", [asset.name])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this block only checks scope but not service account

Suggest to add re_match("[email protected]$", service_account.email) to check for default compute engine service account

If we use custom service account, scope will always be full scope, which is actually recommended: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the recommendation! @charliewolf what do you think about this strategy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joecheuk So in my test CAI data i was not seeing service accounts with names like that. @katze120 Do you have an example asset JSON you could share?

@dekuhn dekuhn requested review from gkowalski-google and removed request for joecheuk February 19, 2020 19:24
@dekuhn
Copy link
Contributor

dekuhn commented Feb 24, 2020

@katze120 or @gkowalski-google can you help with data needed by Charlie base on the code review feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joecheuk joecheuk joecheuk left review comments

@katze120 katze120 katze120 left review comments

@AdrienWalkowiak AdrienWalkowiak Awaiting requested review from AdrienWalkowiak

@briantkennedy briantkennedy Awaiting requested review from briantkennedy

@morgante morgante Awaiting requested review from morgante

@t12g t12g Awaiting requested review from t12g

@gkowalski-google gkowalski-google Awaiting requested review from gkowalski-google

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@charliewolf @dekuhn @katze120 @joecheuk @googlebot