Ensure that 'always allow' evaluation mode is restricted for Google Binary Authorization Policy

MEDIUM

Description

Container platforms within Google Cloud can make use of the Binary Authorization Policy, which would set software-level supply chain security for container images being used. This can help protect environments by reducing the risk of using unauthorized or vulnerable/malicious software. As with many policies, there is a default rule which can be configured with several different evaluation modes. It is best practice to ensure that the default is not set to 'always allow'. To learn more, see the GCP documentation.
References:
https://cloud.google.com/binary-authorization/docs/overview

Remediation

In GCP Console -

Open the GCP Portal and Go to the Binary Authorization.
Click on Edit policy.
In the Default rule, select Require attestations.
Click Save Policy.

In Terraform -

In the resource google_binary_authorization_policy, ensure that default_admission_rule.evaluation_mode is set to REQUIRE_ATTESTATION.

References:
https://cloud.google.com/binary-authorization/docs/setting-up
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/binary_authorization_policy#evaluation_mode

Policy Details

Rule Reference ID: AC_GCP_0269

CSP: GCP

Remediation Available: Yes

Domain: Security Best Practices

Resource: google_binary_authorization_policy

Resource Category: Compute

Resource Type: Google Kubernetes Engine (GKE)

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
ISO-27001