Publicly Accessible Functions

Risk Level: High (act today)

Identify any publicly accessible Google Cloud functions within your cloud account and update their IAM policy in order to protect against unauthorized users that are sending requests to invoke these functions. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from your function's IAM policy. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

Security

Misconfigured access permissions is a common security vulnerability that involves Google Cloud resources. Granting permissions to "allUsers" and "allAuthenticatedUsers" members can allow anyone to invoke your functions. To prevent sensitive data leaks, data loss, and unexpected charges on your GCP bill, ensure that anonymous and/or public access to your Google Cloud functions is not allowed.

Audit

To determine if there are any publicly accessible functions available within your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the PERMISSIONS tab to access the permissions defined for selected function.

06 Select the VIEW BY PRINCIPALS tab and check the Principal column for any allUsers and allAuthenticatedUsers IAM principals. If the list contains one or more allUsers/allAuthenticatedUsers principals, the selected Google Cloud function is considered publicly accessible.

07 Repeat steps no. 4 - 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s):

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project:

gcloud functions list 
  --project cc-bigdata-project-123123 
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions:

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run run services get-iam-policy command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe name of the IAM members (principals) defined in the invoker policy associated with the selected function:

gcloud run services get-iam-policy cc-web-app-function 
  --project cc-bigdata-project-123123 
  --region us-central1 
  --format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated IAM members:

"allAuthenticatedUsers"
"allUsers"

If the list of IAM member names returned by the run services get-iam-policy command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Google Cloud function is considered publicly accessible.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated invoker policy in order to restrict anonymous and/or public access to your Google Cloud functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to configure, listed in the Name column.

05 Select the PERMISSIONS tab to access the permissions defined for selected function.

06 Select the VIEW BY PRINCIPALS tab to display all IAM members (principals) that have access to the selected resource.

07 Select all the allUsers and allAuthenticatedUsers principals available and choose REMOVE ACCESS to initiate the removal action for the selected bindings.

08 In the removal confirmation box, choose CONFIRM to remove the allUsers and/or allAuthenticatedUsers principals.

09 Repeat steps no. 4 – 8 for each Google Cloud function available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run run services remove-iam-policy-binding command (OSX/Linux/UNIX) using the name of the publicly accessible Google Cloud function that you want to configure as the identifier parameter, to remove the allUsers binding from the invoker policy associated with the selected function:

gcloud run services remove-iam-policy-binding cc-web-app-function 
  --region='us-central1' 
  --member='allUsers' 
  --role='roles/run.invoker'

02 The command output should return the information available for the updated policy:

Updated IAM policy for service [cc-web-app-function].
etag: ABCDABCDABCD
version: 1

03 Run run services remove-iam-policy-binding command (OSX/Linux/UNIX) using the name of the publicly accessible function that you want to configure as the identifier parameter, to remove the allAuthenticatedUsers binding from the invoker policy associated with the selected function:

gcloud run services remove-iam-policy-binding cc-web-app-function 
  --region='us-central1' 
  --member='allAuthenticatedUsers' 
  --role='roles/run.invoker'

04 The command output should return the information available for the updated policy:

Updated IAM policy for service [cc-web-app-function].
etag: 1234ABCD1234
version: 1

05 Repeat steps no. 1 - 4 for each Google Cloud function created for the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
IAM overview
IAM basic and predefined roles reference
Principal identifiers

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud functions list
gcloud run services get-iam-policy
gcloud run services remove-iam-policy-binding

Publication date May 3, 2024

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Publicly Accessible Functions

Risk Level: High

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related Functions rules