🛡️ Google Cloud Function Environment Variables store confidential data🟢⚪

• Contextual name: 🛡️ Cloud Function Environment Variables store confidential data🟢⚪
• ID: /ce/ca/google/cloud-run/function-environment-variables-store-confidential-data
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Similar Policies

• Cloud Conformity: Use Secrets Manager for Managing Secrets in Google Cloud Functions

Description

Open File

Description

Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without requiring management of a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.

Rationale

It is recommended to use Secret Manager, because environment variables are stored unencrypted and accessible to all users who have access to the code.

Impact

There should be no impact on the Cloud Function. There are minor costs after 10,000 requests per month to the Secret Manager API, and higher usage of other functions may incur additional costs. Modifying the Cloud Function to use Secret Manager may prevent it from running to completion.

Audit

Determine if Confidential Information is Stored in your Functions in Cleartext

From Google Cloud Console

1. Within the project you wish to audit, select the Navigation hamburger menu in the top left. Scroll down to under the heading Serverless, then select Cloud Functions

... see more

Remediation

Open File

Remediation

Enable Secret Manager API for your Project

From Google Cloud Console

1. Within the project you wish to enable, select the Navigation hamburger menu in the top left. Hover over APIs & Services to under the heading Serverless, then select Enabled APIs & Services in the menu that opens up.
2. Click the button + Enable APIs and Services
3. In the Search bar, search for Secret Manager API and select it.
4. Click the blue box that says Enable.

From Google Cloud CLI

1. Within the project you wish to enable the API in, run the following command.

   gcloud services enable Secret Manager API

Reviewing Environment Variables That Should Be Migrated to Secret Manager

From Google Cloud Console

1. Log in to the Google Cloud Web Portal
2. Go to Cloud Functions
3. Click on a function name from the list
4. Click on Edit and review the Runtime environment for variables that should be secrets. Leave this list open for the next step.

From Google Cloud CLI

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.3.0 → 💼 1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - Level 1 (Manual)			1		no data
💼 CIS GCP v2.0.0 → 💼 1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - Level 1 (Manual)			1		no data
💼 CIS GCP v3.0.0 → 💼 1.17 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - Level 1 (Manual)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			53		no data