Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Artifact Registry Repositories

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Identify any publicly accessible Artifact Registry repositories within your Google Cloud account and update their IAM policy in order to protect against unauthorized access. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from the IAM policy associated with your repository. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

Security

Google Cloud Artifact Registry lets you store code and dependencies for your cloud applications. However, it's vital to secure access if your repositories contain sensitive information like passwords, personal details (such as PII), or confidential data. To prevent sensitive data leaks and data loss, ensure that anonymous and/or public access to your Artifact Registry repositories is not allowed.

Audit

To determine if there are any publicly accessible Artifact Registry repositories available in your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Artifact Registry console available at https://console.cloud.google.com/artifacts/.

04 Select Repositories from the navigation panel to list the Artifact Registry repositories available for the selected project.

05 Select the repository that you want to examine, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to show the repository permissions.

06 Click inside the Filter box, select Role / Member, type allUsers, and press Enter. Click again in the Filter box, choose OR, select Role / Member, type allAuthenticatedUsers, and press Enter. If the Google Cloud console returns one or more results (i.e. principals), the selected Artifact Registry repository is publicly accessible.

07 Repeat steps no. 5 and 6 for each repository available within the selected GCP project.

08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
cc-web-project-123123
cc-iot-app-project-112233

03 Run artifacts repositories list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the location of each Artifact Registry repository available within the selected project: 

gcloud artifacts repositories list
  --project cc-web-project-123123
  --format="(REPOSITORY,LOCATION)"

04 The command output should return the repository names and their location: 

ARTIFACT_REGISTRY

NAME: web-app-data
LOCATION: us-central1

NAME: web-artifacts
LOCATION: us-central1

05 Run artifacts repositories get-iam-policy command (Windows/macOS/Linux) using the name of the Artifact Registry repository that you want to examine as the identifier parameter, to describe name of the IAM members (principals) defined in the IAM policy associated with the selected repository: 

gcloud artifacts repositories get-iam-policy web-app-data
  --project cc-web-project-123123
  --location us-central1
  --format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated IAM members: 

"allUsers"
"allAuthenticatedUsers"

If the list of IAM member names returned by the artifacts repositories get-iam-policy command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Artifact Registry repository is publicly accessible.

07 Repeat steps no. 5 and 6 for each repository available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated IAM policy in order to restrict anonymous and/or public access to your Artifact Registry repositories, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Artifact Registry console available at https://console.cloud.google.com/artifacts/.

04 Select Repositories from the navigation panel to list the Artifact Registry repositories available for the selected project.

05 Select the repository that you want to configure, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to show the repository permissions.

06 Identify the IAM role with the "allUsers" and/or "allAuthenticatedUsers" principal and click on the delete button (bin icon) available next to the principal name to delete the binding. In the Remove role from principal? confirmation box, choose REMOVE to remove the selected binding. Repeat this step for each "allUsers"/"allAuthenticatedUsers" binding.

07 Repeat steps no. 5 and 6 for each repository that you want to configure, available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run artifacts repositories remove-iam-policy-binding command (OSX/Linux/UNIX) using the name of the publicly accessible Artifact Registry repository that you want to configure as the identifier parameter, to remove the allUsers binding from the IAM policy associated with the selected repository: 

gcloud artifacts repositories remove-iam-policy-binding web-app-data 
  --location='us-central1'
  --member='allUsers'
  --role='roles/editor'

02 The command output should return the information available for the updated policy: 

Updated IAM policy for repository [web-app-data].
	bindings:
		- members:
		- allAuthenticatedUsers
	role: roles/owner
	etag: ABCD1234ABCD
	version: 1

03 Run artifacts repositories remove-iam-policy-binding command (OSX/Linux/UNIX) using the name of the publicly accessible Artifact Registry repository that you want to configure as the identifier parameter, to remove the allAuthenticatedUsers binding from the IAM policy of the selected repository: 

gcloud artifacts repositories remove-iam-policy-binding web-app-data
  --location='us-central1'
  --member='allAuthenticatedUsers'
  --role='roles/owner'

04 The command output should return the information available for the updated policy: 

Updated IAM policy for service [web-app-data].
etag: 1234ABCD1234
version: 1

05 Repeat steps no. 1 - 4 for each repository that you want to configure, available in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date May 1, 2024

Related ArtifactRegistry rules