forked from aquasecurity/tfsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
no_project_level_default_service_account_assignment.go
79 lines (75 loc) · 2.57 KB
/
no_project_level_default_service_account_assignment.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package iam
import (
"github.com/mightymarty/tfsec/defsec/internal/rules"
providers2 "github.com/mightymarty/tfsec/defsec/pkg/providers"
scan2 "github.com/mightymarty/tfsec/defsec/pkg/scan"
severity2 "github.com/mightymarty/tfsec/defsec/pkg/severity"
state2 "github.com/mightymarty/tfsec/defsec/pkg/state"
)
var CheckNoProjectLevelDefaultServiceAccountAssignment = rules.Register(
scan2.Rule{
AVDID: "AVD-GCP-0006",
Provider: providers2.GoogleProvider,
Service: "iam",
ShortCode: "no-project-level-default-service-account-assignment",
Summary: "Roles should not be assigned to default service accounts",
Impact: "Violation of principal of least privilege",
Resolution: "Use specialised service accounts for specific purposes.",
Explanation: `Default service accounts should not be used - consider creating specialised service accounts for individual purposes.`,
Links: []string{
"",
},
Terraform: &scan2.EngineMetadata{
GoodExamples: terraformNoProjectLevelDefaultServiceAccountAssignmentGoodExamples,
BadExamples: terraformNoProjectLevelDefaultServiceAccountAssignmentBadExamples,
Links: terraformNoProjectLevelDefaultServiceAccountAssignmentLinks,
RemediationMarkdown: terraformNoProjectLevelDefaultServiceAccountAssignmentRemediationMarkdown,
},
Severity: severity2.Medium,
},
func(s *state2.State) (results scan2.Results) {
for _, project := range s.Google.IAM.AllProjects() {
for _, binding := range project.Bindings {
if binding.IsUnmanaged() {
continue
}
if binding.IncludesDefaultServiceAccount.IsTrue() {
results.Add(
"Role is assigned to a default service account at project level.",
binding.IncludesDefaultServiceAccount,
)
} else {
for _, member := range binding.Members {
if isMemberDefaultServiceAccount(member.Value()) {
results.Add(
"Role is assigned to a default service account at project level.",
member,
)
} else {
results.AddPassed(member)
}
}
}
}
for _, member := range project.Members {
if member.IsUnmanaged() {
continue
}
if member.DefaultServiceAccount.IsTrue() {
results.Add(
"Role is assigned to a default service account at project level.",
member.DefaultServiceAccount,
)
} else if isMemberDefaultServiceAccount(member.Member.Value()) {
results.Add(
"Role is assigned to a default service account at project level.",
member.Member,
)
} else {
results.AddPassed(&member)
}
}
}
return
},
)