v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
12Dashboards
536Controls
201Queries
2Variables
GitHub

Control: 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

Description

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.

Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.

Remediation

From Console

  1. Go to Storage browser by visiting https://console.cloud.google.com/storage/browser.
  2. Click on the bucket name to go to its Bucket details page.
  3. Click on the Permissions tab.
  4. Click Delete button in front of allUsers and allAuthenticatedUsers to remove that particular role assignment.

From Command Line

Remove allUsers and allAuthenticatedUsers access.

gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

Prevention

You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains.

Default Value

By Default, Storage buckets are not publicly shared.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_5_1 --share

SQL

This control uses a named query:

storage_bucket_not_publicly_accessible

Tags

benchmark = cis
category = Compliance
cis_item_id = 5.1
cis_level = 1
cis_section_id = 5
cis_type = automated
cis_version = v3.0.0
plugin = gcp
service = GCP/Storage