GCP Storage Buckets Are Publicly Accessible To All Authenticated Users

This policy identifies the buckets which are publicly accessible to all authenticated users. Enabling public access to Storage Buckets enables anybody with a web association to access sensitive information that is critical to business. Access over a whole bucket is controlled by IAM. Access to individual objects within the bucket is controlled by its ACLs.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Storage buckets are publicly accessible to all authenticated users.
JSON Query:
$.resource[*].google_storage_bucket_access_control[*].*[*].entity contains allUsers
Recommendation:
Recommended solution to ensure that Storage buckets are not publicly accessible to all authenticated users.
Ensure that GCP Storage buckets are not publicly accessible to all authenticated users. Please make sure that in the template, "entity" under "public_rule" is not set to "allUsers".
For example:
"google_storage_bucket_access_control": [ { "public_rule": [ { "bucket": "google_storage_bucket.bucket.name", "entity": "user-userId", "role": "READER" } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Storage (Left Panel).
  3. Click Browse.
  4. Choose the identified Storage bucket whose ACL needs to be modified.
  5. Click on SHOW INFO PANEL button.
  6. Check all the ACL groups and make sure that the none of them are set to 'allAuthenticatedUsers'.

Compliance

There are 12 standards that are applicable to this policy:
  • HIPAA
  • PIPEDA
  • NIST CSF
  • NIST 800-53 Rev4
  • HITRUST CSF v9.3
  • ISO 27001:2013
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • MITRE ATT&CK [Beta]
  • PCI DSS v3.2
  • CCPA 2018

Recommended For You