Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous and/or public access. Note: GCP recommends using the Uniform Access control in order to be affected by IAM policy only

Risk Level: Critical
Cloud Entity: Storage Bucket
CloudGuard Rule ID: D9.GCP.IAM.09
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageBucket should not have iamPolicy with [ bindings contain [ members contain-any [ $ in ( 'allUsers', 'allAuthenticatedUsers' ) ] ] ]

REMEDIATION

From Portal

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Storage.
  3. Navigate to Bucket details page, select bucket name.
  4. Click Permissions tab.
  5. To remove a specific role assignment, to the front of allUsers and allAuthenticatedUsers, click Delete.

From TF
Set the members list to not include the members:'allAuthenticatedUsers','allUsers':

resource 'google_storage_bucket_iam_member' 'member' {
	..
	members = [
	MEMBERS_LIST
	]
	..
}

From Command Line
Run

gsutil iam ch -d allUsers gs://BUCKET_NAME

and

gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

References

  1. https://cloud.google.com/storage/docs/gsutil/commands/mb
  2. https://cloud.google.com/storage/docs/access-control/iam

Storage Bucket

Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP Dashboard System Ruleset
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0