Artifact registries are open to public Affecting Artifact Registry service in Google
Severity Framework
Snyk CCSS
Rule category
Data / Access Control
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00804
- credit Snyk Research Team
Description
Enabling public access to Artifact Registries increases the risk of unauthorized data exposure and potential data leakage. Restricting access to registries to authorized identities only ensures that sensitive data and artifacts are not accessible by anonymous or unauthenticated users, thereby mitigating the risk of data breaches and maintaining the confidentiality and integrity of the artifacts stored within the registry.
How to fix?
Set the members
attribute in google_artifact_registry_repository_iam
resource to value other than allUsers
.
Example Configuration
resource "google_artifact_registry_repository" "allow" {
location = "us-central1"
repository_id = "artifact-804"
description = "example docker repository"
format = "DOCKER"
}
resource "google_artifact_registry_repository_iam_binding" "public_binding" {
location = google_artifact_registry_repository.allow.location
repository = google_artifact_registry_repository.allow.name
role = "roles/artifactregistry.reader"
members = [
"user:sanjeevsaini@zelarsoft.com",
]
}
resource "google_artifact_registry_repository_iam_member" "member" {
location = google_artifact_registry_repository.allow.location
repository = google_artifact_registry_repository.allow.name
role = "roles/artifactregistry.admin"
member = "serviceAccount:snyk-venkat@zelarsoft-snyk.iam.gserviceaccount.com"
}
resource "google_artifact_registry_repository" "allow2" {
location = "us-central1"
repository_id = "artifact2-804"
description = "example docker repository"
format = "DOCKER"
}
resource "google_artifact_registry_repository_iam_policy" "policy" {
location = google_artifact_registry_repository.allow2.location
repository = google_artifact_registry_repository.allow2.name
policy_data = data.google_iam_policy.admin.policy_data
}
data "google_iam_policy" "admin" {
binding {
role = "roles/artifactregistry.admin"
members = [
"serviceAccount:snyk-venkat@zelarsoft-snyk.iam.gserviceaccount.com"
]
}
}