Ensure that Cloud Storage bucket is not anonymously or publicly accessible

Risk Level: Critical
Storage Bucket
Rule ID: D9.GCP.IAM.09
Category: Storage
It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous and/or public access. Note: GCP recommends using the Uniform Access control in order to be affected by IAM policy only

gsl logic

StorageBucket should not have iamPolicy with [ bindings contain [ members contain-any [ $ in ( 'allUsers', 'allAuthenticatedUsers' ) ] ] ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal
1. Log in to the GCP Console at https://console.cloud.google.com.
2. Navigate to Storage.
3. Navigate to Bucket details page, select bucket name.
4. Click Permissions tab.
5. To remove a specific role assignment, to the front of allUsers and allAuthenticatedUsers, click Delete.

From TF
Set the members list to not include the members:'allAuthenticatedUsers','allUsers':


resource 'google_storage_bucket_iam_member' 'member' {
 ..
 members = [
 MEMBERS_LIST
 ]
 ..
 }



From Command Line
Run


gsutil iam ch -d allUsers gs://BUCKET_NAME


and


gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME



References
1. https://cloud.google.com/storage/docs/gsutil/commands/mb
2. https://cloud.google.com/storage/docs/access-control/iam

Auto Remediation Using Cloudbots


cloudbot_name: storage_bucket_remove_allow_public_access_rules

What it does: Deletes IAM rules of a Storage Bucket that allow public access

Usage: storage_bucket_remove_allow_public_access_rules

Example: storage_bucket_remove_allow_public_access_rules

Limitations: None

Example GSL: StorageBucket should not have iamPolicy with [ bindings contain [ members contain-any [ $ in ( 'allUsers', 'allAuthenticatedUsers' ) ] ] ]

Associated Rule: D9.GCP.IAM.09

Permissions: storage.buckets.getIamPolicy, storage.buckets.setIamPolicy

Storage Bucket

Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.

Related Links:
Creating Storage Buckets

Compliance Frameworks

PCIDSS32 ISO27001 NIST_CSF HIPAA GDPR BP_0318