Comments (1)
@ResonanceSecurity Thanks for using Steampipe and helping with this finding.
The fix is applied in this PR
Attaching the query here to give it a try at your end and share feedback with us.
with users_with_roles as (
select
distinct split_part(member_entity, ':', 2) as user_name,
project,
_ctx,
array_agg(distinct p ->> 'role') as assigned_roles
from
gcp_iam_policy,
jsonb_array_elements(bindings) as p,
jsonb_array_elements_text(p -> 'members') as member_entity
where
split_part(member_entity, ':', 1) = 'user'
group by
user_name,
project,
_ctx
),
kms_roles_users as (
select
user_name,
project,
assigned_roles
from
users_with_roles
where
'roles/cloudkms.admin' = any(assigned_roles)
and assigned_roles && array['roles/cloudkms.cryptoKeyEncrypterDecrypter', 'roles/cloudkms.cryptoKeyEncrypter', 'roles/cloudkms.cryptoKeyDecrypter']
)
select
distinct r.user_name as resource,
case
when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then 'ok'
when k.user_name is not null then 'alarm'
else 'ok'
end as status,
case
when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then r.user_name || ' assigned only with KMS admin role.'
when k.user_name is not null then r.user_name || ' assigned with roles/cloudkms.admin, ' ||
concat_ws(', ',
case when 'roles/cloudkms.cryptoKeyEncrypterDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypterDecrypter' end,
case when 'roles/cloudkms.cryptoKeyEncrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypter' end,
case when 'roles/cloudkms.cryptoKeyDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyDecrypter' end
) || ' KMS role(s).'
else r.user_name || ' not assigned with KMS admin and additional encrypter/decrypter roles.'
end as reason
--${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "r.")}
from
users_with_roles as r
left join kms_roles_users as k on k.user_name = r.user_name and k.project = r.project
from steampipe-mod-gcp-compliance.
Related Issues (20)
- CIS v1.3.0 and v2.0.0 3.10 control does not include all IPs and ports
- 2.2 Ensure that sinks are configured for all log entries - problem with multiple projects in an aggregator HOT 3
- Queries for cis_v200_1_13 and cis_v200_1_14 HOT 1
- Query kms_key_rotated_within_90_day modification to verify key status
- Create queries for GKE CIS v1.3.0 HOT 7
- Update mod.sp to address deprecation warning
- Queries between Control 2.4 and 2.11 of CIS v2.0.0 don't support multiple GCP projects? HOT 2
- Controls between 2.6 and 2.9 of CIS v2.0.0 doesn't work with the GCP project configured as the instruction in the documantation. HOT 2
- Update index doc and README for Steampipe v0.14.0 release
- Add GCP CIS 1.3 controls HOT 1
- Add GCP > CIS v1.3 > 1.16 Ensure Essential Contacts is Configured for Organization HOT 1
- Add GCP > CIS v1.3 > 1.17 Ensure that Dataproc Cluster is encrypted using Customer- Managed Encryption Key HOT 1
- Add GCP > CIS v1.3 > 2.15 Ensure 'Access Approval' is 'Enabled'
- Incorrect logic in CIS 1.09
- GCP CIS Control cis_v120_1_1 producing incorrect results. HOT 5
- Evaluate & Add CIS Google Cloud Platform Foundation Benchmark v2.0.0 (12-30-2022) HOT 2
- Code tidy up e.g. use query = instead of sql = when connecting controls to queries across GCP compliance HOT 1
- Add common and tag dimensions across compliance queries
- Queries that query `gcp_project` table should use `project_id` instead of `name` column in additional dimensions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from steampipe-mod-gcp-compliance.