Google CloudOverview
HTTP-triggered functions with unrestricted ingress can be reached from the public internet when their authentication or IAM policy also permits it. Even when authentication is enabled, unrestricted ingress expands the attack surface for authentication bypasses, application bugs, and excessive probing.
Restrict ingress to internal traffic or internal plus load balancer traffic unless the function is intentionally public and protected by compensating controls.
Remediation guidance
Remediation
Set the function ingress policy to the narrowest mode that supports the expected callers. Use internal-only for private functions or internal-and-gclb when the function should be reachable only through an approved external HTTPS load balancer.
gcloud CLI
gcloud functions deploy {{asset.name}} \
--region {{asset.region}} \
--ingress-settings internal-and-gclb
For strictly private functions, use:
gcloud functions deploy {{asset.name}} \
--region {{asset.region}} \
--ingress-settings internal-only
Validate ingress settings:
gcloud functions describe {{asset.name}} \
--region {{asset.region}} \
--format='value(ingressSettings)'
References
- https://cloud.google.com/functions/docs/networking/network-settings
- https://cloud.google.com/functions/docs/securing/authenticating
Query logic
These are the stored checks tied to this control.
HTTP Google Cloud Functions allowing all ingress
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "gcp" }
OR: [
{ NOT: { triggerURL: { eq: "" } } }
{ NOT: { deployedURL: { eq: "" } } }
]
ingressSettings_IN: ["ALLOW_ALL", "INGRESS_SETTINGS_UNSPECIFIED", ""]
}
) {
...AssetFragment
}
}
