Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Cloud Run Services

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure there are no publicly accessible Cloud Run services available within your Google Cloud Platform (GCP) project. Cloud Run services have Identity and Access Management (IAM) policies configured to determine who can have access to these resources. To refuse access from anonymous and/or public users, remove the bindings for the "allUsers" members from the IAM policy associated with your vloud resource. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Granting permissions to "allUsers" members can allow anyone on the Internet to access your Cloud Run services. Google Cloud best practices involve a thorough assessment of access control methods, the establishment of authentication and authorization protocols, and the limitation of entry to approved users or designated IP ranges. By adhering to secure procedures and embracing the principle of granting the least privilege, you can secure your Cloud Run service to guarantee that it remains both secure and accessible exclusively to its intended users. Your Cloud Run services must be explicitly configured to allow external requests, ensuring controlled and secure access.

Audit

To determine if there are any publicly accessible Cloud Run services available within your Google Cloud project, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Run console at https://console.cloud.google.com/run.

04 Select the Cloud Run service that you want to examine and choose the PERMISSIONS tab from the right information panel. If the information panel is not visible, choose SHOW INFO PANEL and select PERMISSIONS.

05 Use the Filter box to search for allUsers members. If the search result contains one or more roles, such as Cloud Run Invoker, associated with allUsers members, the selected Google Cloud Run service is publicly accessible. Also, the following warning message should be displayed on the information panel: "This resource is public and can be accessed by anyone on the internet. To remove public access, remove "allUsers" and "allAuthenticatedUsers" from the resource's principals.".

06 Repeat step no. 4 and 5 for each Cloud Run managed service created within the selected project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each Google Cloud Platform (GCP) project available in your cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-app-stack-project-112233

03 Run services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and region of each Cloud Run service created for the selected project: 

gcloud run services list
  --project cc-web-stack-project-123123
  --format="table(name,region)"

04 The command output should return the requested resource identification information: 

NAME                      REGION
cc-project5-web-service   us-central1
cc-analytics-app-service  us-central1

05 Run services get-iam-policy command (Windows/macOS/Linux) using the name and the region of the Cloud Run service that you want to examine as identifier parameters, to describe the IAM policy defined for the selected service: 

gcloud run services get-iam-policy cc-project5-web-service
  --region us-central1

06 The command output should return the IAM policy configured for the selected service: 

bindings:
- members:
	- user:user@domain.com
	role: roles/owner
- members:
	- allUsers
	role: roles/run.invoker
etag: ABCD1234ABCD
version: 1

Check the IAM policy returned by the services describe command output for roles associated with allUsers members. If one or more roles are using the allUsers members, as shown in the output example above, the selected Google Cloud Run service is publicly accessible.

07 Repeat step no. 5 and 6 for each Cloud Run service available within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove all "allUsers" member bindings from the IAM policy associated with the service in order to restrict anonymous and/or public access to your Cloud Run service, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Run console at https://console.cloud.google.com/run.

04 Select the Cloud Run service that you want to configure and choose the PERMISSIONS tab from the right information panel. If the information panel is not visible, choose SHOW INFO PANEL and select PERMISSIONS.

05 Use the Filter box to search for allUsers members to return all roles/principals with "allUsers" member bindings.

06 Click on the toggle node button available next to the role/principal associated with the allUsers member to expand the role configuration panel, and click on the delete (icon) button to remove the allUsers member.

07 On the Remove role from principal? confirmation box, choose Remove allUsers from all roles on this resource. They may still have access via inherited roles., and select REMOVE to confirm the removal.

08 Repeat steps no. 4 - 7 for each Cloud Run service that you want to configure, created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available within your Google Cloud account.

Using GCP CLI

Remove an IAM policy binding from the IAM policy of a service. One binding consists of a member, and a role.

01 Run services remove-iam-policy-binding command (Windows/macOS/Linux) using the name and the region of the Cloud Run service that you want to configure as the identifier parameters, to remove "allUsers" member bindings from the IAM policy associated with the selected service. The following command request example removed the "allUsers" member binding from the Cloud Run Invoker role in order to stop allowing unauthenticated invocations to the selected Cloud Run service: 

gcloud run services remove-iam-policy-binding cc-project5-web-service 
  --region=us-central1 
  --member='allUsers' 
  --role='roles/run.invoker'

02 The command output should return the redefined IAM policy configured for the selected service: 

bindings:
- members:
	- user:user@domain.com
	role: roles/owner
etag: ABCD1234ABCD
version: 1

03 Repeat steps no. 1 and 2 for each Cloud Run service that you want to configure, deployed in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project created within your Google Cloud account.

References

Publication date Oct 23, 2023

Related CloudRun rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Publicly Accessible Cloud Run Services

Risk Level: High