inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

Expand google_project_iam_binding to expose conditional level access properties on the role

Open sukchomb-zz opened this issue 5 years ago • 5 comments

Detailed Description

In order to support project level issue investigation, condition bound access would be granted to roles.

The members of this role would be one or more users (internal/external).

We require the capability to be able to test the presence of any conditions and their properties.

Context

Having this capability will further enhance the security posture of platform.

Possible Implementation

sukchomb-zz avatar Mar 06 '20 12:03 sukchomb-zz

Are there other places you would like to use conditions? I can't currently implement it on every resource, as it is only supported on a subset of GCP resources: https://cloud.google.com/iam/docs/conditions-overview

I'll get this added for project

slevenick avatar Mar 20 '20 20:03 slevenick

FYI, my current implementation is going to have an optional condition object passed to the *iam_binding resource that will match the fields in the condition returned by the API.

For example, you could make a control like: describe google_project_iam_binding(project: 'your-project', role: "roles/browser") do which would only match bindings without any condition

You can also do: describe google_project_iam_binding(project: 'your-project', role: "roles/browser", condition: { title: "my title" }) do which will match any condition with the title my title for that role. You could additionally specify expression or description if desired

Does that sound like it would work for your use case?

slevenick avatar Mar 20 '20 20:03 slevenick

Hi @slevenick

Let's stick with Projects for now ( other potential places could be Folder and Org level, essentially I want to report on the condition where ever it can be placed.)

In my use case, I will be scanning multiple projects every 8 hours using the same Inspec profile and will not know if any conditions have been set beforehand.

So I want to check each iam_binding and report on the condition if it exists.

If I use this style:

describe google_project_iam_binding(project: 'your-project', role: "roles/browser", condition: { title: "my title" }) do

Can I use a regex for the title e.g. '.*' ?

I want to match bindings with and without a condition (without specifying any of the condition attributes).

sukchomb-zz avatar Mar 21 '20 15:03 sukchomb-zz

The downside to using a wildcard is that it could potentially return multiple bindings that match, and there isn't a good way using a _iam_binding resource to differentiate between them.

I think the best way to go here would be to use the _iam_policy resource, iterate over each binding within that and check if it has a condition. I'm adding support for conditions to the iam_policy resources so this is possible.

A potential control could look like:

google_project_iam_policy(project: 'your-project').bindings.each do |binding|
  describe binding do
    # Make sure no binding has a condition
    its('condition.expression') { should be nil }
  end
end

Does that look like what you want?

slevenick avatar Mar 23 '20 17:03 slevenick

Hi @slevenick , Yes that looks perfect.

Thanks.

sukchomb-zz avatar Mar 24 '20 07:03 sukchomb-zz