lacework-global-270
5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible (Automated)
Profile Applicability
• Level 1
Description
It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Rationale
Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.
Impact
No storage buckets would be publicly accessible. You would have to explicitly administer bucket access.
Audit
From Console:
- Go to
Storage browser
by visiting https://console.cloud.google.com/storage/browser. - Click on each bucket name to go to its
Bucket details
page. - Click on the
Permissions
tab. - Ensure that
allUsers
andallAuthenticatedUsers
are not in theMembers
list.
From Command Line:
- List all buckets in a project
gsutil ls
- Check the IAM Policy for each bucket:
gsutil iam get gs://BUCKET_NAME
No role should contain allUsers
and/or allAuthenticatedUsers
as a member.
Using Rest API
- List all buckets in a project
Get https://www.googleapis.com/storage/v1/b?project=<ProjectName>
- Check the IAM Policy for each bucket
GET https://www.googleapis.com/storage/v1/b/<bucketName>/iam
No role should contain allUsers
and/or allAuthenticatedUsers
as a member.
Remediation
From Console:
- Go to
Storage browser
by visiting https://console.cloud.google.com/storage/browser. - Click on the bucket name to go to its
Bucket details
page. - Click on the
Permissions
tab. - Click
Delete
button in front ofallUsers
andallAuthenticatedUsers
to remove that particular role assignment.
From Command Line:
Remove allUsers
and allAuthenticatedUsers
access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME
Prevention:
You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing
organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains .
References
https://cloud.google.com/storage/docs/access-control/iam-reference
https://cloud.google.com/storage/docs/access-control/making-data-public
https://cloud.google.com/storage/docs/gsutil/commands/iam
Additional Information
To implement Access restrictions on buckets, configuring Bucket IAM is preferred way than configuring Bucket ACL. On GCP console, "Edit Permissions" for bucket exposes IAM configurations only. Bucket ACLs are configured automatically as per need in order to implement/support User enforced Bucket IAM policy. In-case administrator changes bucket ACL using command-line(gsutils)/API bucket IAM also gets updated automatically.