📝 Google Storage Bucket is anonymously or publicly accessible 🟢

• Contextual name: 📝 Bucket is anonymously or publicly accessible 🟢
• ID: /ce/ca/google/storage/storage-bucket-public-access
• Located in: 📁 Google Storage

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Publicly Accessible Cloud Storage Buckets

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Storage Bucket
  • 🔌 Google IAM Policy Binding - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.

Rationale

Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.

Impact

No storage buckets would be publicly accessible. You would have to explicitly administer bucket access.

Audit

From Google Cloud Console

1. Go to Storage browser by visiting https://console.cloud.google.com/storage/browser.
2. Click on each bucket name to go to its Bucket details page.
3. Click on the Permissions tab.
4. Ensure that allUsers and allAuthenticatedUsers are not in the Members list.

From Google Cloud CLI

1. List all buckets in a project

        gsutil ls

2. Check the IAM Policy for each bucket:

        gsutil iam get gs://BUCKET_NAME

No role should contain allUsers and/or allAuthenticatedUsers as a member.

Using Rest API

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to Storage browser by visiting https://console.cloud.google.com/storage/browser.
2. Click on the bucket name to go to its Bucket details page.
3. Click on the Permissions tab.
4. Click Delete button in front of allUsers and allAuthenticatedUsers to remove that particular role assignment.

From Google Cloud CLI

Remove allUsers and allAuthenticatedUsers access.

        gsutil iam ch -d allUsers gs://BUCKET_NAME 
        gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			24