gcloud-access-approval-not-enabled: Access Approval Not Enabled in GCP Projects

id: gcloud-access-approval-not-enabled

info:
  name: Access Approval Not Enabled in GCP Projects
  author: princechaddha
  severity: high
  description: |
    Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account to allow your explicit approval whenever Google personnel need to access your GCP projects. Once enabled, you can delegate users within your organization to approve access requests through IAM. Requests will show the requester's name/ID via email or Pub/Sub message for approval.
  impact: |
    If Access Approval is not enabled, unauthorized access by Google personnel may occur without your knowledge, leading to potential security risks and data breaches.
  remediation: |
    Enable Access Approval in your GCP projects to create a new control and logging layer that reveals who in your organization approved or denied access requests.
  reference:
    - https://cloud.google.com/access-approval/docs/quickstart
  tags: cloud,devops,gcp,gcloud,google-cloud-platform,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud access-approval settings get --project $projectId --format="json(enrolledServices)"

    matchers:
      - type: word
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Access Approval not enabled in Project: " + projectId'
# digest: 4b0a0048304602210090096c58b936c5d0b3cdc8ddfe448f87c8813c9a16ea0f2307ab29e0b1627b11022100ebaf5d8d37861aa286f40720b9681596e0cf50ac847b020012a559e676e8b384:922c64590222798bb761d5b6d8e72950