Giter Site home page Giter Site logo

Comments (1)

rajlearner17 avatar rajlearner17 commented on June 3, 2024 1

@ResonanceSecurity Thanks for using Steampipe and helping with this finding.

The fix is applied in this PR

Attaching the query here to give it a try at your end and share feedback with us.

  with users_with_roles as (
      select
        distinct split_part(member_entity, ':', 2) as user_name,
        project,
        _ctx,
        array_agg(distinct p ->> 'role') as assigned_roles
      from
        gcp_iam_policy,
        jsonb_array_elements(bindings) as p,
        jsonb_array_elements_text(p -> 'members') as member_entity
      where
        split_part(member_entity, ':', 1) = 'user'
      group by
        user_name,
        project,
        _ctx
    ),
    kms_roles_users as (
      select
        user_name,
        project,
        assigned_roles
      from
        users_with_roles
      where
        'roles/cloudkms.admin' = any(assigned_roles)
        and assigned_roles && array['roles/cloudkms.cryptoKeyEncrypterDecrypter', 'roles/cloudkms.cryptoKeyEncrypter', 'roles/cloudkms.cryptoKeyDecrypter']
    )
    select
      distinct r.user_name as resource,
      case
        when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then 'ok'
        when k.user_name is not null then 'alarm'
        else 'ok'
      end as status,
      case
        when 'roles/cloudkms.admin' = any(r.assigned_roles) and k.user_name is null then r.user_name || ' assigned only with KMS admin role.'
        when k.user_name is not null then r.user_name || ' assigned with roles/cloudkms.admin, ' ||
          concat_ws(', ',
            case when 'roles/cloudkms.cryptoKeyEncrypterDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypterDecrypter' end,
            case when 'roles/cloudkms.cryptoKeyEncrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyEncrypter' end,
            case when 'roles/cloudkms.cryptoKeyDecrypter' = any(r.assigned_roles) then 'roles/cloudkms.cryptoKeyDecrypter' end
            ) || ' KMS role(s).'
        else r.user_name || ' not assigned with KMS admin and additional encrypter/decrypter roles.'
      end as reason
      --${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "r.")}
    from
      users_with_roles as r
      left join kms_roles_users as k on k.user_name = r.user_name and k.project = r.project

CC @khushboo9024

from steampipe-mod-gcp-compliance.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.