Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Policy Packs
GCP CIS v2.0.0 - Section 1 - Identity and Access Management
  • GCP > Dataproc > Cluster > Approved
  • GCP > Dataproc > Cluster > Approved > Custom
  • GCP > IAM > API Key > Active
  • GCP > IAM > API Key > Active > Age
  • GCP > IAM > API Key > Approved
  • GCP > IAM > API Key > Approved > Custom
  • GCP > IAM > Project User > Approved
  • GCP > IAM > Project User > Approved > Custom
  • GCP > IAM > Service Account > Approved
  • GCP > IAM > Service Account > Approved > Custom
  • GCP > IAM > Service Account Key > Active
  • GCP > IAM > Service Account Key > Active > Age
  • GCP > IAM > Service Account Key > Approved
  • GCP > IAM > Service Account Key > Approved > Custom
  • GCP > KMS > Crypto Key > Approved
  • GCP > KMS > Crypto Key > Approved > Custom
  • GCP > KMS > Crypto Key > Policy > Trusted Access
  • GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated
  • GCP > KMS > Crypto Key > Policy > Trusted Access > All Users
Get Involved
Discuss on Slack

Policy Setting: GCP > IAM > API Key > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

  • GCP > IAM > API Key > Approved > Custom

Source

resource "turbot_policy_setting" "gcp_iam_api_key_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/gcp-iam#/policy/types/apiKeyApprovedCustom"
  note           = "GCP CIS v2.0.0 - Control: 1.12, 1.13 and 1.14"
  template_input = <<-EOT
    {
      item: apiKey {
        name: get(path: "name")
        apiTargets: get(path: "restrictions.apiTargets")
        createTime: get(path: "createTime")
        browserKeyRestrictions: get(path: "restrictions.browserKeyRestrictions")
        serverKeyRestrictions: get(path: "restrictions.serverKeyRestrictions")
        androidKeyRestrictions: get(path: "restrictions.androidKeyRestrictions")
        iosKeyRestrictions: get(path: "restrictions.iosKeyRestrictions")
      }
    }
  EOT
  template       = <<-EOT
    {%- set results = [] -%}


    {%- set apiTargets = $.item.apiTargets | default([]) -%}


    {%- set name = $.item.name -%}


    {%- set containsCloudApi = false -%}


    {%- for item in apiTargets -%}


      {%- if not containsCloudApi and item.service == "cloudapis.googleapis.com" -%}


        {%- set containsCloudApi = true -%}


      {%- endif -%}


    {%- endfor -%}


    {%- if containsCloudApi -%}


      {%- set data = {
          "title": "Access to Specific APIs",
          "result": "Not approved",
          "message": "API Key is restricted to only APIs that application needs access"
      } -%}


    {%- elif not containsCloudApi -%}


      {%- set data = {
          "title": "Access to Specific APIs",
          "result": "Approved",
          "message": "API Key is not restricted to only APIs that application needs access"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Access to Specific APIs",
          "result": "Skip",
          "message": "No data for API Key restriction yet"
      } -%}


    {%- endif -%}


    {%- set results = results.concat(data) -%}


    {%- if name | length > 0 -%}


      {%- set data = {
          "title": "API Key Exists",
          "result": "Not approved",
          "message": "API Key should not exist for any active services"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "API Key Exists",
          "result": "Skip",
          "message": "No data for API Key yet"
      } -%}


    {%- endif -%}


    {%- set results = results.concat(data) -%}


    {%- set browserKeyRestrictions = $.item.browserKeyRestrictions -%}


    {%- set serverKeyRestrictions = $.item.serverKeyRestrictions -%}


    {%- set androidKeyRestrictions = $.item.androidKeyRestrictions -%}


    {%- set iosKeyRestrictions = $.item.iosKeyRestrictions -%}


    {%- set applicationRestrictions = true -%}


    {%- if browserKeyRestrictions == null and serverKeyRestrictions == null and androidKeyRestrictions == null and iosKeyRestrictions == null -%}


      {%- set applicationRestrictions = false -%}


    {%- elif browserKeyRestrictions != null -%}


      {%- for referrer in browserKeyRestrictions.allowedReferrers -%}


        {%- if "*" in referrer -%}


          {%- set applicationRestrictions = false -%}


        {%- endif -%}


      {%- endfor -%}


    {%- elif serverKeyRestrictions != null -%}


      {%- set invalidIps = ['0.0.0.0', '0.0.0.0/0', '::0'] -%}


      {%- for ip in serverKeyRestrictions.allowedIps -%}


        {%- if ip in invalidIps -%}


          {%- set applicationRestrictions = false -%}


        {%- endif -%}


      {%- endfor -%}


    {%- endif -%}


    {%- if applicationRestrictions -%}


      {%- set data = {
          "title": "Access to Specific Hosts & Apps",
          "result": "Approved",
          "message": "API keys are restricted to use by only specified hosts and apps"
      } -%}


    {%- elif not applicationRestrictions -%}


      {%- set data = {
          "title": "Access to Specific Hosts & Apps",
          "result": "Not approved",
          "message": "API keys are not restricted to use by only specified hosts and apps"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Access to Specific Hosts & Apps",
          "result": "Skip",
          "message": "No data for key restrictions yet"
      } -%}


    {%- endif -%}


    {%- set results = results.concat(data) -%}


    {{ results | json }}
  EOT
}
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy