Identify any publicly accessible Google Cloud functions within your cloud account and update their IAM policy in order to protect against unauthorized users that are sending requests to invoke these functions. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from your function's IAM policy. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.
Misconfigured access permissions is a common security vulnerability that involves Google Cloud resources. Granting permissions to "allUsers" and "allAuthenticatedUsers" members can allow anyone to invoke your functions. To prevent sensitive data leaks, data loss, and unexpected charges on your GCP bill, ensure that anonymous and/or public access to your Google Cloud functions is not allowed.
Audit
To determine if there are any publicly accessible functions available within your Google Cloud account, perform the following operations:
Remediation / Resolution
To remove the "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated invoker policy in order to restrict anonymous and/or public access to your Google Cloud functions, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- IAM overview
- IAM basic and predefined roles reference
- Principal identifiers
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud functions list
- gcloud run services get-iam-policy
- gcloud run services remove-iam-policy-binding
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Publicly Accessible Functions
Risk Level: High