Detection: Storage Bucket IAM Permission Granted Public Access

Overview

Detect when a storage bucket was publicly accessible. Publicly accessible buckets can expose sensitive data to unauthorized access or misuse. Monitoring such configurations ensures secure storage practices and prevents data breaches.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.storage_bucket_iam_permission_granted_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.storage_bucket_iam_permission_granted_public_access --share

SQL

This detection uses a named query:

with policy as(
  select
    *,
    unnest(from_json((service_data -> 'policyDelta' -> 'bindingDeltas'), '["JSON"]')) as bindings
  from
    gcp_audit_log
  where
    method_name ilike 'storage.setiampermissions'
)
select 
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
*

from 
  policy
where
  (bindings ->> 'member') = 'allUsers'
  and severity != 'Error'
-- TODO: Do we need to check operation?
-- and (operation_src is null or operation_src.last = true)

order by
  timestamp desc;

Detection: Storage Bucket IAM Permission Granted Public Access

Overview

Usage

SQL

Tags