projectdiscovery · princechaddha · Jan 15, 2025
diff --git a/cloud/gcp/api/gcloud-api-key-restrictions-missing.yaml b/cloud/gcp/api/gcloud-api-key-restrictions-missing.yaml
@@ -0,0 +1,72 @@
+id: gcloud-api-key-restrictions-missing
+
+info:
+  name: Missing API Key API Restrictions
+  author: princechaddha
+  severity: medium
+  description: |
+    Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API, and Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions.
+  impact: |
+    API keys without specific API restrictions can be used to access any GCP API, potentially leading to unauthorized access and misuse of resources. Implementing API restrictions helps in limiting the scope of API keys to intended services only.
+  remediation: |
+    Apply API restrictions to each Google Cloud API key to limit their usage to specific APIs. This can be managed through the Google Cloud Console or using the gcloud command-line tool.
+  reference:
+    - https://cloud.google.com/api-keys/docs/restricting-api-keys
+  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+    for(let apiKey of iterate(template.apiKeys)){
+      set("apiKeyUid", apiKey)
+      code(3)
+    }
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - '.[].projectId'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud alpha services api-keys list --project=$projectId --format="json(uid)"
+
+    extractors:
+      - type: json
+        name: apiKeys
+        internal: true
+        json:
+          - '.[].uid'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud alpha services api-keys describe $apiKeyUid --format="json(restrictions)"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'null'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Unrestricted API Key: " + apiKeyUid + " in Project: " + projectId'
diff --git a/cloud/gcp/api/gcloud-api-key-unrestricted.yaml b/cloud/gcp/api/gcloud-api-key-unrestricted.yaml
@@ -0,0 +1,71 @@
+id: gcloud-api-key-unrestricted
+
+info:
+  name: Unrestricted API Key Usage
+  author: princechaddha
+  severity: medium
+  description: |
+    Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.
+  impact: |
+    API keys without restrictions can be used unrestrictedly, which might lead to unauthorized access and misuse, potentially exposing sensitive data or services.
+  remediation: |
+    Apply restrictions to all production API keys to specify the allowed websites, IP addresses, or mobile applications that can use each key, to mitigate potential abuse.
+  reference:
+    - https://cloud.google.com/docs/authentication/api-keys#restricting_api_keys
+  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+    for(let uid of iterate(template.uids)){
+      set("uid", uid)
+      code(3)
+    }
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - '.[].projectId'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud alpha services api-keys list --project $projectId --format="json(uid)"
+
+    extractors:
+      - type: json
+        name: uids
+        internal: true
+        json:
+          - '.[].uid'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud alpha services api-keys describe $uid --format="json(restrictions)"
+
+    matchers:
+      - type: word
+        words:
+          - 'null'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Unrestricted API Key: " + uid + " in Project: " + projectId'
diff --git a/cloud/gcp/api/gcloud-api-keys-inactive-services.yaml b/cloud/gcp/api/gcloud-api-keys-inactive-services.yaml
@@ -0,0 +1,60 @@
+id: gcloud-api-keys-inactive-services
+
+info:
+  name: API Keys Should Only Exist for Active Services
+  author: princechaddha
+  severity: low
+  description: |
+    Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted.
+  impact: |
+    Using API keys for inactive services can expose your applications to unnecessary security risks. It is advisable to employ standard authentication methods and ensure that API keys are used judiciously and only for active services.
+  remediation: |
+    Review and ensure that API keys are only configured for active services. Delete or disable API keys associated with inactive or unnecessary services to minimize security risks.
+  reference:
+    - https://cloud.google.com/docs/authentication/api-keys
+  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - '.[].projectId'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud alpha services api-keys list --project=$projectId --format="json(uid)"
+
+    matchers:
+      - type: word
+        words:
+          - 'uid'
+
+    extractors:
+      - type: json
+        name: uid
+        internal: true
+        json:
+          - '.[].uid'
+
+      - type: dsl
+        dsl:
+          - '"Inactive API Key found: UID: " + uid + " in Project: " + projectId'
diff --git a/cloud/gcp/api/gcloud-critical-service-apis-disabled.yaml b/cloud/gcp/api/gcloud-critical-service-apis-disabled.yaml
@@ -0,0 +1,53 @@
+id: gcloud-critical-service-apis-disabled
+
+info:
+  name: Critical Service APIs Not Enabled
+  author: princechaddha
+  severity: critical
+  description: |
+    Ensure that critical service APIs are enabled for your GCP projects to gain access to essential functionalities and services provided by Google Cloud Platform (GCP), manage your project resources efficiently, enhance the security of your cloud environment, and track your usage and billing. The critical service APIs include, but are not limited to, Identity and Access Management (IAM) API, Compute Engine API, Cloud Storage, Google Cloud Pub/Sub API, Cloud Key Management Service (KMS) API, and Cloud Logging API.
+  impact: |
+    Disabling critical service APIs can prevent the proper management and security of GCP resources, potentially leading to service disruptions or compromised security.
+  remediation: |
+    Enable the necessary service APIs via the GCP Console or the gcloud command-line tool for each project where they are found to be disabled.
+  reference:
+    - https://cloud.google.com/service-usage/docs/enable-disable
+  tags: cloud,devops,gcp,gcloud,api-management,gcp-cloud-config
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - '.[].projectId'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud services list --project $projectId --enabled --filter=name:iam.googleapis.com --format="json" | jq '.'
+
+    matchers:
+      - type: word
+        words:
+          - '[]'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Critical API not enabled: IAM API in Project: " + projectId'
diff --git a/cloud/gcp/api/gcloud-security-center-api-disabled.yaml b/cloud/gcp/api/gcloud-security-center-api-disabled.yaml
@@ -0,0 +1,54 @@
+id: gcloud-security-center-api-disabled
+
+info:
+  name: Security Command Center API Disabled
+  author: princechaddha
+  severity: high
+  description: |
+    To access historical security findings and asset data in Security Command Center, ensure that the Security Command Center API is enabled within your Google Cloud account. If the API is not enabled, certain security features and monitoring capabilities will be unavailable.
+  impact: |
+    Disabling the Security Command Center API may limit visibility and control over security threats, leading to potential vulnerabilities and undetected risks within Google Cloud environments.
+  remediation: |
+    Enable the Security Command Center API for each Google Cloud project to maintain proper security monitoring and threat detection capabilities. This can be done through the Google Cloud Console or using the `gcloud services enable securitycenter.googleapis.com` command.
+  reference:
+    - https://cloud.google.com/security-command-center/docs/reference/rest
+  tags: cloud,devops,gcp,gcloud,security-center,gcp-cloud-config
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - '.[].projectId'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud services list --project $projectId --enabled --filter="name:securitycenter.googleapis.com" --format="json"
+
+    matchers:
+      - type: word
+        words:
+          - '[]'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Security Command Center API is not enabled in Project: " + projectId'
diff --git a/cloud/gcp/api/gcloud-vm-os-config-disabled.yaml b/cloud/gcp/api/gcloud-vm-os-config-disabled.yaml
@@ -0,0 +1,54 @@
+id: gcloud-cloud-asset-disabled
+
+info:
+  name: Cloud Asset Inventory Not Enabled
+  author: princechaddha
+  severity: high
+  description: |
+    Ensure that Cloud Asset Inventory is enabled for all your GCP projects in order to efficiently manage the history and the inventory of your cloud resources. Google Cloud Asset Inventory is a fully managed metadata inventory service that allows you to view, monitor, analyze, and gain insights for your Google Cloud and Anthos assets. Cloud Asset Inventory is disabled by default in each GCP project.
+  impact: |
+    Not having Cloud Asset Inventory enabled can prevent the organization from having a managed and insightful view over its cloud resources, potentially leading to mismanagement and security risks.
+  remediation: |
+    Enable the Google Cloud Asset Inventory by activating the Cloud Asset API in each GCP project through the Google Cloud Console or using the `gcloud services enable cloudasset.googleapis.com --project <project-id>` command.
+  reference:
+    - https://cloud.google.com/asset-inventory/docs
+  tags: cloud,devops,gcp,gcloud,cloud-asset,gcp-cloud-config
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - '.[].projectId'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud services list --project $projectId --enabled --filter="name:cloudasset.googleapis.com" --format="json"
+
+    matchers:
+      - type: word
+        words:
+          - '[]'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"OS Config service is disabled for Project: " + projectId'