Control: Ensure that Cloud Storage bucket used for exporting logs is not anonymously or publicly accessible
Description
It is recommended that IAM policy on Cloud Storage bucket used for exporting logs does not allows anonymous or public access.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.storage_bucket_log_not_publicly_accessibleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.storage_bucket_log_not_publicly_accessible --shareSQL
This control uses a named query:
with log_sink_buckets as ( select split_part(destination, '/', 2) as bucket_name, project from gcp_logging_sink where destination like 'storage.googleapis.com/%')select b.self_link resource, case when s.bucket_name is null then 'skip' when b.iam_policy ->> 'bindings' like any (array ['%allAuthenticatedUsers%','%allUsers%']) then 'alarm' else 'ok' end as status, case when s.bucket_name is null then title || ' does not export logs.' when b.iam_policy ->> 'bindings' like any (array ['%allAuthenticatedUsers%','%allUsers%']) then title || ' publicly accessible.' else title || ' not publicly accessible.' end as reason , b.location as location, b.project as projectfrom gcp_storage_bucket as b left join log_sink_buckets as s on s.bucket_name = b.name and b.project = s.project;