Artifact registries are open to public Affecting Artifact Registry service in Google
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00804
- creditSnyk Research Team
Description
Enabling public access to Artifact Registries increases the risk of unauthorized data exposure and potential data leakage. Restricting access to registries to authorized identities only ensures that sensitive data and artifacts are not accessible by anonymous or unauthenticated users, thereby mitigating the risk of data breaches and maintaining the confidentiality and integrity of the artifacts stored within the registry.
How to fix?
Set the members attribute in google_artifact_registry_repository_iam resource to value other than allUsers.
Example configuration:
resource "google_artifact_registry_repository" "allow" {
location = "us-central1"
repository_id = "artifact-804"
description = "example docker repository"
format = "DOCKER"
}
resource "google_artifact_registry_repository_iam_binding" "public_binding" {
location = google_artifact_registry_repository.allow.location
repository = google_artifact_registry_repository.allow.name
role = "roles/artifactregistry.reader"
members = [
"user:sanjeevsaini@zelarsoft.com",
]
}
resource "google_artifact_registry_repository_iam_member" "member" {
location = google_artifact_registry_repository.allow.location
repository = google_artifact_registry_repository.allow.name
role = "roles/artifactregistry.admin"
member = "serviceAccount:snyk-venkat@zelarsoft-snyk.iam.gserviceaccount.com"
}
resource "google_artifact_registry_repository" "allow2" {
location = "us-central1"
repository_id = "artifact2-804"
description = "example docker repository"
format = "DOCKER"
}
resource "google_artifact_registry_repository_iam_policy" "policy" {
location = google_artifact_registry_repository.allow2.location
repository = google_artifact_registry_repository.allow2.name
policy_data = data.google_iam_policy.admin.policy_data
}
data "google_iam_policy" "admin" {
binding {
role = "roles/artifactregistry.admin"
members = [
"serviceAccount:snyk-venkat@zelarsoft-snyk.iam.gserviceaccount.com"
]
}
}