gcloud-iam-primitive-roles: Minimize the Use of Primitive Roles

日期: 2025-08-01 | 影响软件: gcloud | POC: 已公开

漏洞描述

For production and security-critical cloud environments, limit the use of primitive roles such as "Owner", "Editor", and "Viewer" for Cloud IAM members. Instead, grant predefined roles to these IAM members to allow the least-permissive access required to perform their tasks (i.e., Principle of Least Privilege – POLP).

PoC代码[已公开]

id: gcloud-iam-primitive-roles

info:
  name: Minimize the Use of Primitive Roles
  author: princechaddha
  severity: medium
  description: |
    For production and security-critical cloud environments, limit the use of primitive roles such as "Owner", "Editor", and "Viewer" for Cloud IAM members. Instead, grant predefined roles to these IAM members to allow the least-permissive access required to perform their tasks (i.e., Principle of Least Privilege – POLP).
  impact: |
    Using primitive roles can lead to overly broad access and potential security vulnerabilities, as these roles can grant extensive permissions across a wide range of resources.
  remediation: |
    Replace primitive roles with predefined or custom roles tailored to the specific needs of the users and the minimum permissions they require to perform their tasks.
  reference:
    - https://cloud.google.com/iam/docs/understanding-roles
  tags: cloud,devops,gcp,gcloud,google-cloud-iam,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let binding of iterate(template.bindings)){
      set("binding", binding)
      javascript(1)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud projects get-iam-policy $projectId --format=json

    extractors:
      - type: json
        name: bindings
        internal: true
        json:
          - '.bindings[]'

javascript:
  - code: |
      let binding = JSON.parse(template.binding);
      let role = binding.role;
      let members = binding.members.join(", ");
      let projectId = template.projectId;
      let primitiveRoles = ["roles/owner", "roles/editor", "roles/viewer"];
      if (primitiveRoles.includes(role)) {
        Export("Primitive role " + role + " used by members " + members + " in Project " + projectId);
      }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a0047304502205cf38271366363518d970f52193b701bfdc523d4c6f168904610c6a2f989a1a8022100ba66f34ff86fbb9934c0bf144f8ea021d9ada3ba99c0cb29f5847ef4e3f3996d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/iam/gcloud-iam-primitive-roles.yaml

相关漏洞推荐