Compute Engine disk image is not publicly shared
compute_image_not_publicly_shared
Custom disk images should not be shared publicly with allAuthenticatedUsers. Per Google Cloud API restrictions, allUsers cannot be assigned to Compute Engine images. The concern is allAuthenticatedUsers, which grants access to anyone with a Google account, potentially exposing application snapshots and sensitive data.
Risk
Publicly shared disk images can expose sensitive data and application configurations to unauthorized users.
- Any authenticated GCP user can access the image content
- Could lead to data breaches if images contain secrets or proprietary code
- Attackers may use exposed images to understand application architecture
prowler gcp --checks compute_image_not_publicly_shared
Recommendation
Restrict access to custom disk images by removing the allAuthenticatedUsers IAM binding. Apply the principle of least privilege by granting access only to specific users, groups, or service accounts that require it.
Remediation
gcloud compute images remove-iam-policy-binding IMAGE_NAME --member='allAuthenticatedUsers' --role='ROLE_NAME'
- Go to the GCP Console
- Navigate to Compute Engine > Images
- Select the disk image
- Click on the INFO PANEL to view permissions
- Remove allAuthenticatedUsers bindings
- Click Save
Source Code
Resource Type
compute.googleapis.com/Image