Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Publicly Accessible Functions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Identify any publicly accessible Google Cloud functions within your GCP account and update their IAM policy in order to protect against unauthorized users that are sending requests to invoke these functions. To deny access from anonymous and public users, remove the bindings for allUsers and allAuthenticatedUsers members from your function's IAM policy. allUsers is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the allAuthenticatedUsers is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

Security

Misconfigured access permissions are a common security vulnerability that involves Google Cloud resources. Granting permissions to allUsers and allAuthenticatedUsers members can allow anyone to invoke your functions. To prevent sensitive data leaks, data loss, and unexpected charges on your GCP bill, ensure that anonymous and/or public access to your Google Cloud functions is not allowed.

Audit

To determine if there are any publicly accessible functions available within your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Select the Google Cloud function that you want to examine and choose PERMISSIONS to access the permissions defined for selected function. The panel with the function permissions opens.

05 Toggle the Expand button (right arrow icon) available next to each role name listed in the Role / Principal section to show the principal(s) defined for each role. Check for any allUsers and allAuthenticatedUsers principals. If the Role / Principal list contains roles with allUsers and/or allAuthenticatedUsers principals, the selected Google Cloud function is considered publicly accessible.

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	-format="value(projectId)"

02 The command output should return the requested GCP project ID(s): 

cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Google Cloud function deployed within the selected project: 

gcloud functions list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested function names and the associated regions: 

NAME: cc-project5-function
REGION: us-central1

NAME: cc-stream-function
REGION: us-central1

NAME: cc-vertex-function
REGION: us-central1

05 Run functions get-iam-policy command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to examine as the identifier parameter, to describe names of the IAM members (principals) defined in the invoker policy associated with the selected function: 

gcloud functions get-iam-policy cc-project5-function
	--project cc-bigdata-project-123123
	--region us-central1
	--format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated IAM members: 

"allAuthenticatedUsers"
"allUsers"

If the list of IAM members returned by the run services get-iam-policy command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Google Cloud function is considered publicly accessible.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the allUsers and/or allAuthenticatedUsers IAM member bindings from the associated invoker policy in order to restrict anonymous and/or public access to your Google Cloud functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Select the Google Cloud function that you want to configure and choose PERMISSIONS to access the permissions defined for selected function. The panel with the function permissions opens.

05 Toggle the Expand button (right arrow icon) available next to each role name listed in the Role / Principal section to show the principal(s) defined for each role.

06 Identify and remove all allUsers and allAuthenticatedUsers principals from the role bindings configured for the selected function by using the Delete button (bin icon) available next to each principal.

07 Inside the Remove role from principal? confirmation box, choose REMOVE to remove the allUsers and/or allAuthenticatedUsers role bindings.

08 Access to invoke Google Cloud functions can be granted to specific, trusted users, groups, or service accounts that require it, following the Principle of Least Privilege (POLP). To assign the Cloud Functions Invoker role (roles/cloudfunctions.invoker) to a Google Cloud function, perform the following actions:

  1. Select the Google Cloud function that you want to configure and choose PERMISSIONS. Once the panel with the function permissions opens, choose ADD PRINCIPAL.
  2. For Add principals, enter the name of the trusted member/principal in the New principals box.
  3. For Assign roles, use the Select a role dropdown box to search and select the Cloud Functions Invoker role.
  4. Choose SAVE to apply the changes.

09 Repeat steps no. 4 - 8 for each Google Cloud function that you want to configure, available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run functions remove-iam-policy-binding command (OSX/Linux/UNIX) with the name of the publicly accessible Google Cloud function that you want to configure as the identifier parameter, to remove the allUsers binding from the invoker policy associated with the selected function: 

gcloud functions remove-iam-policy-binding cc-project5-function
	--region='us-central1'
	--member='allUsers'
	--role='roles/cloudfunctions.invoker'

02 Type Y and press Enter to confirm the binding removal: 

Would you like to run this command and additionally deny [allUsers] permission to invoke function [cc-project5-function] (Y/n)?  Y

03 The command output should return the information available for the updated policy: 

bindings:
- members:
	- allAuthenticatedUsers
	role: roles/cloudfunctions.invoker
etag: ABCD1234ABCD
version: 1

04 Run functions remove-iam-policy-binding command (OSX/Linux/UNIX) with the name of the publicly accessible function that you want to configure as the identifier parameter, to remove the allAuthenticatedUsers binding from the invoker policy associated with the selected function: 

gcloud functions remove-iam-policy-binding cc-project5-function
	--region='us-central1'
	--member='allAuthenticatedUsers'
	--role='roles/cloudfunctions.invoker'

05 Type Y and press Enter to confirm the binding removal: 

Would you like to run this command and additionally deny [allUsers] permission to invoke function [cc-project5-function] (Y/n)?  Y

06 The command output should return the information available for the updated policy: 

etag: ABCDABCDABCD
version: 1

07 Access to invoke Google Cloud functions can be granted to specific, trusted users, groups, or service accounts that require it, following the Principle of Least Privilege (POLP). To assign the Cloud Functions Invoker role (roles/cloudfunctions.invoker) to your Google Cloud function, run the functions add-iam-policy-binding command (OSX/Linux/UNIX). This command adds an invoker role policy binding that allows the specified, trusted member/principal to invoke your function. Trusted principals can be are users, groups, domains, or service accounts: 

gcloud functions add-iam-policy-binding cc-project5-function
	--region="us-central1"
	--member='user:user@domain.com'
	--role='roles/cloudfunctions.invoker'

08 Type Y and press Enter to confirm the new binding: 

Would you like to run this command and additionally grant [user:user@domain.com] permission to invoke function [cc-project5-function] (Y/n)?

09 The command output should return the information available for the new role policy binding: 

bindings:
- members:
	- user:user@domain.com
	role: roles/cloudfunctions.invoker
etag: 1234ABCD1234
version: 1

10 Repeat steps no. 1 - 9 for each Google Cloud function created for the selected GCP project.

11 Repeat steps no. 1 – 10 for each GCP project deployed in your Google Cloud account.

References

Publication date May 3, 2024

Related CloudFunction rules