Ensure there are no publicly accessible Cloud Run services available within your Google Cloud Platform (GCP) project. Cloud Run services have Identity and Access Management (IAM) policies configured to determine who can have access to these resources. To refuse access from anonymous and/or public users, remove the bindings for the "allUsers" members from the IAM policy associated with your vloud resource. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users.
optimisation
efficiency
excellence
Granting permissions to "allUsers" members can allow anyone on the Internet to access your Cloud Run services. Google Cloud best practices involve a thorough assessment of access control methods, the establishment of authentication and authorization protocols, and the limitation of entry to approved users or designated IP ranges. By adhering to secure procedures and embracing the principle of granting the least privilege, you can secure your Cloud Run service to guarantee that it remains both secure and accessible exclusively to its intended users. Your Cloud Run services must be explicitly configured to allow external requests, ensuring controlled and secure access.
Audit
To determine if there are any publicly accessible Cloud Run services available within your Google Cloud project, perform the following actions:
Remediation / Resolution
To remove all "allUsers" member bindings from the IAM policy associated with the service in order to restrict anonymous and/or public access to your Cloud Run service, perform the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Cloud Run
- Access control with IAM
- IAM overview
- Cloud Run IAM roles
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud services list
- gcloud run services get-iam-policy
- gcloud run services remove-iam-policy-binding
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Publicly Accessible Cloud Run Services
Risk Level: High