Homepage
About Snyk

Artifact registries are open to public Affecting Artifact Registry service in Google

0.0
medium
    Severity Framework Snyk CCSS
    Rule category Data / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00804
  • credit Snyk Research Team
Report a new misconfiguration Found a mistake?

Description

Enabling public access to Artifact Registries increases the risk of unauthorized data exposure and potential data leakage. Restricting access to registries to authorized identities only ensures that sensitive data and artifacts are not accessible by anonymous or unauthenticated users, thereby mitigating the risk of data breaches and maintaining the confidentiality and integrity of the artifacts stored within the registry.

How to fix?

Set the members attribute in google_artifact_registry_repository_iam resource to value other than allUsers.

Example Configuration

resource "google_artifact_registry_repository" "allow" {
  location      = "us-central1"
  repository_id = "artifact-804"
  description   = "example docker repository"
  format        = "DOCKER"
}

resource "google_artifact_registry_repository_iam_binding" "public_binding" {
  location   = google_artifact_registry_repository.allow.location
  repository = google_artifact_registry_repository.allow.name
  role       = "roles/artifactregistry.reader"

  members = [
    "user:sanjeevsaini@zelarsoft.com",
  ]
}

resource "google_artifact_registry_repository_iam_member" "member" {
  location   = google_artifact_registry_repository.allow.location
  repository = google_artifact_registry_repository.allow.name
  role       = "roles/artifactregistry.admin"
  member     = "serviceAccount:snyk-venkat@zelarsoft-snyk.iam.gserviceaccount.com"
}

resource "google_artifact_registry_repository" "allow2" {
  location      = "us-central1"
  repository_id = "artifact2-804"
  description   = "example docker repository"
  format        = "DOCKER"
}


resource "google_artifact_registry_repository_iam_policy" "policy" {
  location    = google_artifact_registry_repository.allow2.location
  repository  = google_artifact_registry_repository.allow2.name
  policy_data = data.google_iam_policy.admin.policy_data
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/artifactregistry.admin"

    members = [
      "serviceAccount:snyk-venkat@zelarsoft-snyk.iam.gserviceaccount.com"
    ]
  }
}