Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Cloud Tasks Queues

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (act today)

Identify any publicly accessible Cloud Tasks queues within your Google Cloud Platform (GCP) account and update their IAM policy in order to protect against unauthorized access. To deny access from anonymous and public users, remove the bindings for allUsers and allAuthenticatedUsers members from the IAM policy associated with your queue. allUsers is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the allAuthenticatedUsers is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

Security

Misconfigured access permissions are a common security vulnerability that involves Google Cloud resources. Making Cloud Tasks queues publicly accessible allows anyone to add tasks, which can lead to abuse (such as submitting unauthorized tasks), unexpected costs, and security risks. To avoid this, ensure that anonymous and/or public access to your Cloud Tasks queues is not allowed.

Audit

To determine if there are any publicly accessible Cloud Tasks queues available in your GCP account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Select the queue that you want to examine and choose SHOW INFO PANEL from the top-right menu to access the permissions defined for selected resource. The panel with the queue permissions opens.

05 Check for any allUsers and allAuthenticatedUsers principals. Click inside the Filter box, select Role / Principal, type allUsers, and press Enter. Click again in the Filter box, choose OR, select Role / Principal, type allAuthenticatedUsers, and press Enter. If the Google Cloud console returns one or more results (i.e., principals), the selected Cloud Tasks queue is considered publicly accessible.

06 Repeat steps no. 4 and 5 for each Cloud Tasks queue available within the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-123123
cc-iot-project-112233

03 Run tasks queues list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID (i.e., fully qualified identifier) of each Cloud Tasks queue created for the selected project, in the specified region: 

gcloud tasks queues list
	--project="cc-web-project-123123"
	--location="us-central1"
	--format="default(name)"

04 The command output should return the requested queue IDs: 

---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-generation-queue

05 Run tasks queues get-iam-policy command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to examine as the identifier parameter, to describe name of the IAM members (principals) defined within the IAM policy associated with the selected queue: 

gcloud tasks queues get-iam-policy projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--format=json | jq '.bindings[].members[]'

06 The command output should return the names of the associated principals: 

"allUsers"
"allAuthenticatedUsers"

If the list of IAM members (principals) returned by the tasks queues get-iam-policy command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Cloud Tasks queue is considered publicly accessible.

07 Repeat steps no. 5 and 6 for each Cloud Tasks queue available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the allUsers and/or allAuthenticatedUsers IAM member bindings from the IAM policy associated with your Cloud Tasks queue in order to protect against unauthorized access, perform the following operations:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Sign in to the Google Cloud Management Console.

02 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Select the queue that you want to configure and choose SHOW INFO PANEL from the top-right menu to access the permissions defined for selected resource. The panel with the queue permissions opens.

05 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., In the Role / Principal section, identify and remove all allUsers and allAuthenticatedUsers principals from the role bindings configured for the selected queue by using the Delete button (i.e., bin icon) available next to each principal.

06 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Inside the Remove role from principal? confirmation box, choose REMOVE to remove the allUsers and/or allAuthenticatedUsers role bindings.

07 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Access to Cloud Tasks queues can be granted to specific, trusted users, groups, or service accounts that require it, following the Principle of Least Privilege (POLP). To assign a new role, perform the following actions:

  1. On the permissions panel, choose ADD PRINCIPAL.
  2. For Add principals, enter the name of the trusted member/principal in the New principals box.
  3. For Assign roles, use the Select a role dropdown box to search and select the role that you want to assign.
  4. Choose SAVE to apply the changes.

08 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Repeat steps no. 4 - 7 for each Cloud Tasks queue that you want to configure, available within the selected GCP project.

09 Sign in to your Trend Cloud One™ – Conformity account, access the Configure Rate Limits for Task Dispatches conformity rule settings and copy the rate limits (i.e., Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run tasks queues remove-iam-policy-binding command (OSX/Linux/UNIX) with the ID of the publicly accessible Cloud Tasks queue that you want to configure as the identifier parameter, to remove the allUsers binding from the IAM policy associated with the selected queue: 

gcloud tasks queues remove-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--location="us-central1"
	--member="allUsers"
	--role="roles/editor"

02 The command output should return the information available for the updated IAM policy: 

Updated IAM policy for queue [cc-user-notification-queue].
bindings:
- members:
	- allAuthenticatedUsers
	role: roles/cloudtasks.taskRunner
etag: ABCD1234ABCD
version: 1

03 Run tasks queues remove-iam-policy-binding command (OSX/Linux/UNIX) with the ID of the publicly accessible Cloud Tasks queue that you want to configure as the identifier parameter, to remove the allAuthenticatedUsers binding from the IAM policy of the selected queue: 

gcloud tasks queues remove-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--location="us-central1"
	--member="allAuthenticatedUsers"
	--role="roles/cloudtasks.taskRunner"

04 The command output should return the information available for the updated policy: 

Updated IAM policy for queue [cc-user-notification-queue].
etag: 1234ABCD1234
version: 1

05 Access to Cloud Tasks queues can be granted to specific, trusted users, groups, or service accounts that require it, following the Principle of Least Privilege (POLP). To assign a new role to your Cloud Tasks queue, run the tasks queues add-iam-policy-binding command (OSX/Linux/UNIX). This command adds a new role policy binding that allows the specified, trusted member/principal to access your queue. Trusted principals can be are users, groups, domains, or service accounts. As an example, the following command assigns the Cloud Tasks Task Runner role (i.e., roles/cloudtasks.taskRunner), granting the specified principal the access required to run tasks: 

gcloud tasks queues add-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--location="us-central1"
	--member="user:user@domain.com"
	--role="roles/cloudtasks.taskRunner"

06 The command output should return the information available for the new IAM policy binding: 

bindings:
- members:
	- user:user@domain.com
	role: roles/cloudtasks.taskRunner
etag: 1234ABCD1234
version: 1

07 Repeat steps no. 1 - 6 for each Cloud Tasks queue that you want to configure, available in the selected GCP project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 27, 2025

Related CloudTasks rules