Skip to main content

lacework-global-270

5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible (Automated)

Profile Applicability

• Level 1

Description

Best practices recommend that Identity and Access Management (IAM) policy on Cloud Storage bucket does not allows anonymous or public access.

Rationale

Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.

Impact

No storage buckets would be publicly accessible. You would have to explicitly administer bucket access.

Audit

From Console:

  1. Go to Storage browser by visiting https://console.cloud.google.com/storage/browser.
  2. Click on each bucket name to go to its Bucket details page.
  3. Click on the Permissions tab.
  4. Ensure that allUsers and allAuthenticatedUsers are not in the Members list.

From Command Line:

  1. List all buckets in a project
gsutil ls
  1. Check the IAM Policy for each bucket:
gsutil iam get gs://BUCKET_NAME

No role should contain allUsers and/or allAuthenticatedUsers as a member.

Using Rest API

  1. List all buckets in a project
Get https://www.googleapis.com/storage/v1/b?project=<ProjectName>
  1. Check the IAM Policy for each bucket
GET https://www.googleapis.com/storage/v1/b/<bucketName>/iam

No role should contain allUsers and/or allAuthenticatedUsers as a member.

Remediation

From Console:

  1. Go to Storage browser by visiting: https://console.cloud.google.com/storage/browser.
  2. Click the bucket name to go to its Bucket details page.
  3. Click the Permissions tab.
  4. Click Delete button in front of allUsers and allAuthenticatedUsers to remove that particular role assignment.

From Command Line:

Remove allUsers and allAuthenticatedUsers access.

gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

Prevention:

You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains.

References

https://cloud.google.com/storage/docs/access-control/iam-reference
https://cloud.google.com/storage/docs/access-control/making-data-public
https://cloud.google.com/storage/docs/gsutil/commands/iam

Additional Information

To implement Access restrictions on buckets, best practices recommend configuring Bucket IAM rather than configuring Bucket Access Control List (ACL). On GCP console, "Edit Permissions" for bucket exposes IAM configurations only. Configuration of Bucket ACLs occurs automatically as needed to implement and support User enforced Bucket IAM policy. In-case administrator changes bucket ACL using command-line(gsutils)/API bucket IAM also gets updated automatically.

Last updated on