Ensure that Cloud Storage bucket is not anonymously or publicly accessible
Storage Bucketgsl logic
Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read
Learn more:
Compliance Engine
GSL Language
Remediation
From Portal
1. Log in to the GCP Console at https://console.cloud.google.com.
2. Navigate to Storage.
3. Navigate to Bucket details page, select bucket name.
4. Click Permissions tab.
5. To remove a specific role assignment, to the front of allUsers and allAuthenticatedUsers, click Delete.
From TF
Set the members list to not include the members:'allAuthenticatedUsers','allUsers':
resource 'google_storage_bucket_iam_member' 'member' {
..
members = [
MEMBERS_LIST
]
..
}
From Command Line
Run
and
References
1. https://cloud.google.com/storage/docs/gsutil/commands/mb
2. https://cloud.google.com/storage/docs/access-control/iam
Auto Remediation Using Cloudbots
What it does: Deletes IAM rules of a Storage Bucket that allow public access Usage: storage_bucket_remove_allow_public_access_rules Example: storage_bucket_remove_allow_public_access_rules Limitations: None Example GSL: StorageBucket should not have iamPolicy with [ bindings contain [ members contain-any [ $ in ( 'allUsers', 'allAuthenticatedUsers' ) ] ] ] Associated Rule: D9.GCP.IAM.09 Permissions: storage.buckets.getIamPolicy, storage.buckets.setIamPolicy
cloudbot_name: storage_bucket_remove_allow_public_access_rules
Storage Bucket
Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.
Related Links:
Creating Storage Buckets
Compliance Frameworks
