🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢

• Contextual name: 🛡️ Bucket Uniform Bucket-Level Access is not enabled🟢
• ID: /ce/ca/google/storage/uniform-bucket-level-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Storage Bucket
  • 🔌 Google Storage Bucket - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Uniform Bucket-Level Access for Cloud Storage Buckets

Description

Open File

Description

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.

Rationale

It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.

Cloud Storage offers two systems for granting users permission to access your buckets and objects: Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels. ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access. Using this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Open the Cloud Storage browser in the Google Cloud Console by visiting: https://console.cloud.google.com/storage/browser
2. In the list of buckets, click on the name of the desired bucket.
3. Select the Permissions tab near the top of the page.
4. In the text box that starts with This bucket uses fine-grained access control..., click Edit.
5. In the pop-up menu that appears, select Uniform.
6. Click Save.

From Google Cloud CLI

Use the on option in a uniformbucketlevelaccess set command:

        gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled - Level 2 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - Level 2 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - Level 2 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	57		no data
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		57		no data
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	27		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31		no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	24		no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	22		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	40		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			15		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	50		no data
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		13		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	56		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36		no data
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	22		no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	27		no data