Detections
Analytics

5.1.2 Minimize user access to Container Image repositories

Information

Note: GCR is now deprecated, see the references for more details.

Restrict user access to GCR or AR, limiting interaction with build images to only authorized personnel and service accounts.

Rationale:

Weak access control to GCR or AR may allow malicious users to replace built images with vulnerable or back-doored containers.

Impact:

Care should be taken not to remove access to GCR or AR for accounts that require this for their operation. Any account granted the Storage Object Viewer role at the project level can view all objects stored in GCS for the project.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For Images Hosted in AR:


Using Google Cloud Console:

Go to Artifacts Browser by visiting https://console.cloud.google.com/artifacts

From the list of artifacts select each repository with format Docker

Under the Permissions tab, modify the roles for each member and ensure only authorized users have the Artifact Registry Administrator, Artifact Registry Reader, Artifact Registry Repository Administrator and Artifact Registry Writer roles.

Using Command Line:

gcloud artifacts repositories set-iam-policy <repository-name> <path-to-policy-file> --location <repository-location>

To learn how to configure policy files see: https://cloud.google.com/artifact-registry/docs/access-control#grant

For Images Hosted in GCR:


Using Google Cloud Console:
To modify roles granted at the GCR bucket level:

Go to Storage Browser by visiting: https://console.cloud.google.com/storage/browser.

From the list of storage buckets, select artifacts.<project_id>.appspot.com for the GCR bucket

Under the Permissions tab, modify permissions of the identified member via the drop-down role menu and change the Role to Storage Object Viewer for read-only access.

For a User or Service account with Project level permissions inherited by the GCR bucket, or the Service Account User Role:

Go to IAM by visiting: https://console.cloud.google.com/iam-admin/iam

Find the User or Service account to be modified and click on the corresponding pencil icon.

Remove the create/modify role (Storage Admin / Storage Object Admin / Storage Object Creator / Service Account User) on the user or service account.

If required add the Storage Object Viewer role - note with caution that this permits the account to view all objects stored in GCS for the project.

Using Command Line:
To change roles at the GCR bucket level:
Firstly, run the following if read permissions are required:

gsutil iam ch <type>:<email_address>:objectViewer gs://artifacts.<project_id>.appspot.com

Then remove the excessively privileged role (Storage Admin / Storage Object Admin / Storage Object Creator) using:

gsutil iam ch -d <type>:<email_address>:<role> gs://artifacts.<project_id>.appspot.com

where:


<type> can be one of the following:


user, if the <email_address> is a Google account.


serviceAccount, if <email_address> specifies a Service account.


<email_address> can be one of the following:

a Google account (for example, [email protected]).

a Cloud IAM service account.

To modify roles defined at the project level and subsequently inherited within the GCR bucket, or the Service Account User role, extract the IAM policy file, modify it accordingly and apply it using:

gcloud projects set-iam-policy <project_id> <policy_file>

Default Value:

By default, GCR is disabled and access controls are set during initialisation.

See Also

https://workbench.cisecurity.org/benchmarks/13178

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: GCP

Control ID: 01958e20ed2862a53e44e1ed0083856a825507490defdc099d7a0ad1ce215a9f