Control: 5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible
Description
It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.
Remediation
From Console
- Go to
Storage browser
by visiting https://console.cloud.google.com/storage/browser. - Click on the bucket name to go to its
Bucket details
page. - Click on the
Permissions
tab. - Click
Delete
button in front ofallUsers
andallAuthenticatedUsers
to remove that particular role assignment.
From Command Line
Remove allUsers
and allAuthenticatedUsers
access.
gsutil iam ch -d allUsers gs://BUCKET_NAMEgsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME
Prevention
You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing
organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains.
Default Value
By Default, Storage buckets are not publicly shared.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_5_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_5_1 --share
SQL
This control uses a named query:
storage_bucket_not_publicly_accessible