GCP Cloud Function Should Not Have Admin Access

More Info:

Ensure that the Cloud Function users do not have administrative priveleges

Risk Level

Critical

Address

Security

Compliance Standards

PCIDSS, HIPAA

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of a GCP Cloud Function having admin access, you can follow the below steps using GCP CLI:

Open the Cloud Console and navigate to the Cloud Functions section.
Identify the Cloud Function that has admin access.
Determine the IAM policy bindings for the Cloud Function:

gcloud functions describe FUNCTION_NAME --format="value(iamPolicy)"

Replace FUNCTION_NAME with the name of your Cloud Function.

Review the IAM policy bindings to identify any roles with admin access.
Remove the admin role from the IAM policy bindings:

gcloud functions remove-iam-policy-binding FUNCTION_NAME \
    --member=MEMBER \
    --role=ROLE

Replace FUNCTION_NAME with the name of your Cloud Function, MEMBER with the email address of the user or service account that has admin access, and ROLE with the admin role (e.g., roles/cloudfunctions.admin).

Verify that the admin role has been removed from the IAM policy bindings:

gcloud functions describe FUNCTION_NAME --format="value(iamPolicy)"

Once the changes are saved, verify that the user or service account no longer has admin access by testing the function.

By following these steps, you can remediate the misconfiguration of a GCP Cloud Function having admin access using the GCP CLI, ensuring that the function has the appropriate access level to perform its intended function.

Using Python

To remediate the issue of a GCP Cloud Function having admin access, follow these steps:

Open the Cloud Functions page in the GCP console.
Select the Cloud Function that has admin access.
Click on the “Edit” button to modify the function.
In the “Permissions” section, click on “Add Member”.
Enter the email address of the user or service account that you want to grant access to the function.
In the “Role” dropdown menu, select a role that does not have admin access, such as “Cloud Functions Developer” or “Cloud Functions Viewer”.
Click “Save” to apply the changes.

Here is an example Python script that can be used to remove admin access from a GCP Cloud Function:

import google.auth
from google.cloud import functions_v1
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials

# Authenticate using the default credentials
creds, project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
creds.refresh(Request())

# Initialize the Cloud Functions client
client = functions_v1.CloudFunctionsServiceClient(credentials=creds)

# Set the name of the Cloud Function that needs to be updated
function_name = "my-function"

# Get the current IAM policy for the function
resource = f"projects/{project_id}/locations/us-central1/functions/{function_name}"
policy = client.get_iam_policy(request={"resource": resource})

# Remove the "roles/cloudfunctions.admin" role from all members
for binding in policy.bindings:
    if binding.role == "roles/cloudfunctions.admin":
        binding.members.remove("allUsers")
        binding.members.remove("allAuthenticatedUsers")
        binding.members = [m for m in binding.members if not m.startswith("user:") and not m.startswith("serviceAccount:")]
        
# Update the IAM policy for the function
client.set_iam_policy(request={"resource": resource, "policy": policy})

This script uses the google-cloud-functions library to authenticate using the default credentials and update the IAM policy for the specified Cloud Function. It removes the “roles/cloudfunctions.admin” role from all members and updates the policy accordingly.

Additional Reading:

https://cloud.google.com/functions/docs/reference/iam/permissions

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

GCP Cloud Function Should Not Have Admin Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: