Profile Applicability:
- Level 1
Description:
It is recommended that IAM policies for Cloud Storage buckets do not permit anonymous or public access. Public access to storage buckets can expose sensitive data to unauthorized users, potentially leading to data breaches.
Rationale:
Granting anonymous or public access to Cloud Storage buckets allows unrestricted access to their contents. This can result in unintended exposure of sensitive or confidential data. By ensuring that access is restricted to authorized users only, organizations can protect their data and maintain compliance with security standards.
Impact:
Storage buckets will not be publicly accessible by default. Administrators will need to explicitly manage and assign access permissions for users.
Default Value:
By default, Cloud Storage buckets are not publicly shared.
Audit Steps:
From Google Cloud Console:
Visit the Storage Browser.
Click on each bucket to view its Bucket Details.
Navigate to the Permissions tab.
Verify that neither all Users nor all Authenticated Users appear in the Members list.
From Google Cloud CLI:
List all buckets in the project:
gsutil ls
Check the IAM policy for each bucket:
gsutil iam get gs://BUCKET_NAME
Ensure that neither allUsers nor allAuthenticatedUsers are listed as members in any roles.
Using REST API:
List all buckets in a project:
GET https://www.googleapis.com/storage/v1/b?project=<PROJECT_ID>
Check the IAM policy for each bucket:
GET https://www.googleapis.com/storage/v1/b/<BUCKET_NAME>/iam
Confirm that no roles contain allUsers or allAuthenticatedUsers.
Remediation Steps:
From Google Cloud Console:
Navigate to the Storage Browser.
Click on the desired bucket to open its Bucket Details.
Go to the Permissions tab.
Remove any entries for all Users or all Authenticated Users by clicking the Delete button.
From Google Cloud CLI:
Remove allUsers access:
gsutil iam ch -d allUsers gs://BUCKET_NAME
Remove allAuthenticatedUsers access:
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME
Prevention:
To prevent storage buckets from becoming publicly accessible:
Enable the Domain Restricted Sharing organization policy: Set Up Domain Restricted Sharing Policy.
Backout Plan:
Revert Changes to Bucket Access: If the change needs to be reversed, restore the IAM roles or ACL settings that allowed public or anonymous access. This can be done by re-adding the necessary permissions with the following command:
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
gsutil iam ch allAuthenticatedUsers:objectViewer gs://[BUCKET_NAME]
Verify Permissions: Re-check the IAM settings and ensure that the desired access permissions are restored.
Test Access: Verify that the access configuration change works as expected by attempting to access the bucket from an anonymous session or different user role.
Notify Stakeholders: Inform stakeholders of the changes and provide any necessary instructions regarding access.
References:
Additional Information:
It is recommended to manage access restrictions through Bucket IAM rather than Bucket ACL for better consistency and ease of use. Changes made to bucket ACLs using command-line tools or APIs will automatically reflect in the corresponding IAM configuration.
For further security, consider applying organization-wide policies to enforce access controls.