GCP Storage bucket is anonymously or publicly accessible
Description
Allowing anonymous or public access to a Cloud Storage bucket grants permissions to anyone to access the bucket's content. If you are storing sensitive data in the bucket anonymous and public access may not be desired. We recommend you ensure anonymous and public access to a bucket is not allowed.
Code Example
//Option 1
resource "google_storage_bucket_iam_member" "member" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
- member = "allUsers"
- member = "allAuthenticatedUsers"
}
//Option 2
resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = [
- "allAuthenticatedUsers",
- "allUsers"
]
}Remediation
- GCP Console To change the policy using the GCP Console, follow these steps:*
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/storage/browser [Storage].
. Navigate to * Bucket* details page, select bucket name.
. Click * Permissions* tab.
. To remove a specific role assignment, to the front of * allUsers* and * allAuthenticatedUsers*, click * Delete*.
- CLI Command*
To remove access to * allUsers* and * allAuthenticatedUsers*, use the following commands: `gsutil iam ch -d allUsers gs://BUCKET_NAME` `gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME` === Fix - Buildtime
Terraform
- Resource: google_storage_bucket_iam_member
- Arguments: member
- Resource: google_storage_bucket_iam_binding
- Field: members
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0887 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_28 |