admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-03 09:13:22 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba03e54063a94de8155adf476dc07e5b39bca341
nuclei-templates/cloud/gcp/function/gcp-func-default-svc-acc.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

74 lines
2.3 KiB
YAML
Raw Blame History

id: gcp-func-default-svc-acc
info:
name: Google Cloud Functions Using Default Service Account
author: princechaddha
severity: medium
description: |
Ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your functions.
impact: |
Using default service accounts can grant more permissions than required to your functions, violating the Principle of Least Privilege and increasing security risks.
remediation: |
Configure your Google Cloud functions to use user-managed service accounts that have only the permissions necessary for the function to operate.
reference:
- https://cloud.google.com/functions/docs/securing/managing-access-iam
tags: cloud,devops,gcp,gcloud,google-cloud-functions,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let functionDetail of iterate(template.functions)){
set("functionName", functionDetail)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud functions list --project $projectId --format="json(name)"
extractors:
- type: json
name: functions
internal: true
json:
- '.[].name'
- engine:
- sh
- bash
source: |
gcloud functions describe $functionName --format="value(serviceConfig.serviceAccountEmail)"
matchers:
- type: word
words:
- '@appspot.gserviceaccount.com'
- '@developer.gserviceaccount.com'
condition: or
extractors:
- type: dsl
dsl:
- '"Default Service Account used in function: " + functionName + " in " + projectId + " project"'
# digest: 4a0a0047304502207fc6a953b87cb78ff44c19096ded2962ce2b34b8f899da6e3c028c21ed62e080022100abe481b531bf4d078a50657118954d54ced272d83f731725c10a25d24b946975:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink