Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use IAM Policy Conditions

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud Eventarc resources use IAM policy conditions to restrict access to specific operations or resources based on context (such as source IP, date, or time of day).

Security

Defining IAM policy conditions for your Google Cloud Eventarc resources enhances security and compliance by enabling fine-grained access control. This restricts permissions based on attributes like time, location, IP address, or resource labels, minimizing unauthorized access and ensuring context-aware task execution.

Audit

To determine if your Google Cloud Eventarc resources are using IAM policy conditions, perform the following operations:

Getting the IAM policy for Eventarc resources using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-123123
cc-ai-project-112233
cc-dev-project-112233

03 Run projects get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to describe the Identity and Access Management (IAM) policy defined for the specified project: 

gcloud projects get-iam-policy cc-web-project-123123 --format="json"

04 The command output should return the requested IAM policy document in JSON format: 

{
	"bindings": [
		{
			"members": [
				"user:username1@domain.com"
			],
			"role": "roles/eventarc.developer"
		},
		{
			"members": [
				"user:username2@domain.com"
			],
			"role": "roles/eventarc.connectionPublisher"
		},
		{
			"members": [
				"user:username3@domain.com"
			],
			"role": "roles/eventarc.viewer"
		}
	],
	"etag": "ABCD1234ABCD1234",
	"version": 3
}

Check the IAM policy document returned by the get-iam-policy command output for "condition" elements. A "condition" element has the following format: "condition": {"title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION"}. If there are no "condition" elements available in the associated IAM policy, your Google Cloud Eventarc resources are not using IAM conditions for fine-grained access control.

05 Repeat steps no. 3 and 4 for each GCP project with Eventarc resources, created within your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud Eventarc resources are protected with IAM policy conditions, perform the following operations:

Updating the IAM policy for Eventarc resources using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 To add an IAM condition to a role binding, you must define the "condition" element, as shown in the policy example below. A "condition" element has the following format: "condition": {"title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION"}. For more details about the "condition" element structure, see the official documentation. Save the modified policy document to a JSON file named cc-iam-policy-conditions.json: 

{
	"bindings": [
		{
			"members": [
				"user:username1@domain.com"
			],
			"role": "roles/eventarc.developer",
			"condition": {
				"title": "dev-time-based-access-control",
				"description": "Allow Access to read and write Eventarc resources until July 1, 2025",
				"expression": "request.time < timestamp('2025-07-01T00:00:00.000Z')"
			}
		},
		{
			"members": [
				"user:username2@domain.com"
			],
			"role": "roles/eventarc.connectionPublisher"
		},
		{
			"members": [
				"user:username3@domain.com"
			],
			"role": "roles/eventarc.viewer"
		}
	],
	"etag": "ABCD1234ABCD1234",
	"version": 3
}

02 Run projects set-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to set the IAM policy modified at the previous step (i.e., cc-iam-policy-conditions.json) to the selected project. This will implement IAM policy conditions for fine-grained access control: 

gcloud projects set-iam-policy cc-web-project-123123 cc-iam-policy-conditions.json

03 The command output should return the modified IAM policy: 

bindings:
	- members:
		- user:username1@domain.com
	role: roles/eventarc.developer
	condition:
		title: dev-time-based-access-control
		description: Allow Access to read and write Eventarc resources until July 1, 2025
		expression: request.time < timestamp('2025-07-01T00:00:00.000Z')
	- members:
		- user:username2@domain.com
	role: roles/eventarc.connectionPublisher
	- members:
		- user:username3@domain.com
	role: roles/eventarc.viewer
etag: ABCD1234ABCD1234
version: 3

04 Repeat steps no. 1 – 3 for each GCP project with Eventarc resources, deployed in your Google Cloud account.

References

Publication date Apr 11, 2025

Related Eventarc rules