Check for Publicly Shared Disk Images

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your virtual machine disk images are not publicly shared with all other Google Cloud Platform (GCP) accounts in order to avoid exposing sensitive or confidential data. If required, you can share your disk images with specific GCP accounts only, without making them public.

Security

You can share your virtual machine (VM) disk images with all authenticated Google Cloud users using the "allAuthenticatedUsers" member, regardless of whether they are part of your GCP organization or project. The "allAuthenticatedUsers" is a special member identifier that represents any user or service account that can sign in to Google Cloud Platform with a Google account. When you make your VM disk images public, these become publicly shared and everyone with a Google Cloud account can use them to create virtual machine instances. Most of the time the VM disk images will contain snapshots of your applications (including their data), therefore exposing your application content in this manner is not advised.


Audit

To identify any publicly shared disk images within your Google Cloud account, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine console at https://console.cloud.google.com/compute.

04 In the navigation panel, select Images to access the list with all the virtual machine (VM) disk images available for the selected project.

05 Select the VM disk image that you want to examine, then click on the SHOW INFO PANEL button to show the image permissions.

06 Select the PERMISSIONS tab, type allAuthenticatedUsers in the Search members search box and press Enter. If the Google Compute Engine console returns one or more results, the selected virtual machine disk image is publicly shared with all other Google Cloud accounts.

07 Repeat step no. 5 and 6 for each virtual machine (VM) disk image created for the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-project5-123123
cc-web-repo-112233

03 Run compute images list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to list all the virtual machine (VM) disk images available for the selected project. Include the --no-standard-images parameter in the command request to disable listing any images from the public image projects:

gcloud compute images list
	--project cc-project5-123123
	--no-standard-images
	--format="table(name)"

04 The command output should return the name(s) of the disk images(s) created for the selected GCP project:

NAME
cc-project5-prod-image
cc-project5-data-image
cc-project5-kb10-image

05 Run compute images get-iam-policy command (Windows/macOS/Linux) using the name of the virtual machine disk image that you want to examine as identifier parameter and custom query filters to describe name of the IAM member(s) associated with the selected image:

gcloud compute images get-iam-policy cc-project5-prod-image
	--format=json | jq '.bindings[]'

06 The command output should return the name of the associated member(s):

"allAuthenticatedUsers"
"user:admin@cloudconformity.com"
"serviceAccount:123412341234-compute@developer.gserviceaccount.com"

If the IAM member names returned by the compute images get-iam-policy command output include "allAuthenticatedUsers", as shown in the example above, the selected virtual machine (VM) disk image is publicly shared with all other Google Cloud accounts.

07 Repeat step no. 5 and 6 for each virtual machine disk image created within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Misconfigured access permissions is a common security vulnerability that involves Google Cloud VM resources. Granting access permissions to "allAuthenticatedUsers" members can allow anyone with a Google account to access your disk images. To revoke access to your publicly shared virtual machine disk images by removing the "allAuthenticatedUsers" member binding from the associated policy, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine console at https://console.cloud.google.com/compute.

04 In the navigation panel, select Images to access the list with all the virtual machine (VM) disk images available for the selected project.

05 Select the VM disk image that you want to reconfigure (see Audit section part I to identify the right image), then click on the SHOW INFO PANEL button to access the image permissions.

06 On the information panel, perform the following operations:

  1. Select the PERMISSIONS tab to access the disk image permissions.
  2. Expand the IAM role for which you want to remove the allAuthenticatedUsers member, then click on the delete icon next to the member name to remove it.
  3. On the confirmation box, select the member that you want to delete, then click REMOVE to confirm the member removal.

07 Repeat step no. 5 and 6 to revoke access for other publicly shared VM disk images available in the selected project.

08 Repeat steps no. 2 – 7 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute images remove-iam-policy-binding command (Windows/macOS/Linux) using the name of the VM disk image that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to remove the "allAuthenticatedUsers" IAM member binding from the IAM policy associated with the selected disk image. The --role parameter value represents the IAM role for which you want to remove the allAuthenticatedUsers member. In the following example, the allAuthenticatedUsers member role is 'roles/editor':

gcloud compute images remove-iam-policy-binding cc-project5-prod-image
	--member='allAuthenticatedUsers'
	--role='roles/editor'

02 The command request should return the metadata for the reconfigured IAM policy:

Updated IAM policy for image [cc-project5-prod-image].
bindings:
- members:
  - user:admin@cloudconformity.com
  role: roles/compute.imageUser
- members:
  - serviceAccount:123412341234-compute@developer.gserviceaccount.com
  role: roles/owner
etag: abcdabcd
version: 1

03 Repeat step no. 1 and 2 to revoke access for other publicly shared virtual machine disk images created for the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed within your Google Cloud account.

References

Publication date May 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Publicly Shared Disk Images

Risk level: Medium