GCP resources should not be publicly accessible to all users or all authenticated users.

Why is this an issue?

Granting public access to GCP resources using allUsers or allAuthenticatedUsers allows anyone on the internet to access them. This removes the ability to enforce authentication, fine-grained permissions, or audit who is accessing the resource. This rule detects IAM bindings, ACL configurations, and container cluster network settings that grant access to all users or all authenticated users.

What is the potential impact?

Security incidents involving publicly accessible resources can result in data theft, disruption of critical functions, and unexpected costs due to resource overload. When access is granted to allUsers or allAuthenticatedUsers, the ability to trace and attribute access in the event of an incident is severely limited.

How to fix it in GCP Identity and Access Management

Code examples

Noncompliant code example

resource "google_cloudfunctions_function_iam_binding" "example" {
  members = [
    "allUsers",              # Noncompliant
    "allAuthenticatedUsers", # Noncompliant
  ]
}

resource "google_cloudfunctions_function_iam_member" "example" {
  member = "allAuthenticatedUsers" # Noncompliant
}

Compliant solution

resource "google_cloudfunctions_function_iam_binding" "example" {
  members = [
    "serviceAccount:${google_service_account.example.email}",
    "group:${var.example_group}"
  ]
}

resource "google_cloudfunctions_function_iam_member" "example" {
  member = "user:${var.example_user}"
}

How to fix it in GCP Cloud Storage

Code examples

Noncompliant code example

resource "google_storage_bucket_access_control" "example" {
  entity = "allUsers" # Noncompliant
}

resource "google_storage_bucket_acl" "example" {
  role_entity = [
    "READER:allUsers",              # Noncompliant
    "READER:allAuthenticatedUsers", # Noncompliant
  ]
}

Compliant solution

resource "google_storage_bucket_access_control" "example" {
  entity = "user-${var.example_user}"
}

resource "google_storage_bucket_acl" "example" {
  role_entity = [
    "READER:user-name@example.com",
    "READER:group-admins@example.com"
  ]
}

How to fix it in GCP Kubernetes Engine

Code examples

Noncompliant code example

resource "google_container_cluster" "example" {
  private_cluster_config {
    enable_private_nodes    = false # Noncompliant
    enable_private_endpoint = false # Noncompliant
  }
}

Compliant solution

resource "google_container_cluster" "example" {
  private_cluster_config {
    enable_private_nodes    = true
    enable_private_endpoint = true
  }
}

Resources

Standards

• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.