Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure that Cloud Storage bucket is not anonymously or publicly accessible

Description

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.storage_bucket_not_publicly_accessible

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.storage_bucket_not_publicly_accessible --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when iam_policy ->> 'bindings' like any (array ['%allAuthenticatedUsers%','%allUsers%']) then 'alarm'
    else 'ok'
  end as status,
  case
    when iam_policy ->> 'bindings' like any (array ['%allAuthenticatedUsers%','%allUsers%'])
      then title || ' publicly accessible.'
    else title || ' not publicly accessible.'
  end as reason
  
  , location as location, project as project
from
  gcp_storage_bucket;

Tags

category = Compliance
nist_800_53_rev_5 = true
nist_csf_v10 = true
pci_dss_v321 = true
plugin = gcp
service = GCP/Storage
soc_2_2017 = true