Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets. It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources. Cloud Storage offers two systems for granting users permission to access your buckets and objects: Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels. ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis. In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access. Using this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either. If you enable uniform bucket-level access, you revoke access from users who gain their access solely through object ACLs. Certain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.

Risk Level: Low
Cloud Entity: Storage Bucket
CloudGuard Rule ID: D9.GCP.IAM.27
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageBucket should have iamConfiguration.uniformBucketLevelAccess.enabled=true

REMEDIATION

From Portal

  1. Open the Cloud Storage browser in the Google Cloud Console by visiting: https://console.cloud.google.com/storage/browser
  2. In the list of buckets, click on the name of the desired bucket.
  3. Select the Permissions tab near the top of the page.
  4. In the text box named Access Control, click the Switch to link. Note that the text box disappears 90 days after you enable uniform bucket-level access.
  5. In the pop-up menu that appears, select Uniform or Fine-grained.
  6. Click Save

From Command Line

  1. To list all buckets in a project
gsutil ls
  1. Use the 'on' option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/

From Terraform
Use Resource: google_storage_bucket and Argument: uniform_bucket_level_access is set to true,

resource "google_storage_bucket" "My-bucket" {
	project       = "PROJECT_ID"
	name          = "BUCKET_NAME"
	location      = "CHOOSE_REGION"
	
	uniform_bucket_level_access = true
}

References

  1. https://cloud.google.com/storage/docs/uniform-bucket-level-access
  2. https://cloud.google.com/storage/docs/using-uniform-bucket-level-access
  3. https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket
  4. https://workbench.cisecurity.org/sections/507173/recommendations/827577

Storage Bucket

Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5