GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
List All Buckets which have Wite Configuration
More Info:
List all the buckets that have website configuration (this is an informational rule only)
Risk Level
Informational
Address
Operational Maturity, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To list all buckets which have write configuration in GCP, you can follow these steps:
- Open the GCP Console and navigate to the Cloud Storage page.
- In the left navigation pane, click on “Storage”.
- Click on the “Buckets” tab.
- In the “Filter Buckets” search box, type “bindings:writer” and press Enter.
- This will list all the buckets with write configuration.
To remediate this misconfiguration in GCP, you can follow these steps:
- Open the GCP Console and navigate to the Cloud Storage page.
- In the left navigation pane, click on “Storage”.
- Click on the bucket that has write configuration.
- Click on the “Permissions” tab.
- In the “Add members” field, enter the email address of the user or service account that you want to grant access to.
- Select the appropriate role for the user or service account from the “Select a role” drop-down menu.
- Click the “Add” button to grant the user or service account access to the bucket.
- Remove any unnecessary write permissions from the bucket by clicking the “Edit” button next to the relevant member and selecting the appropriate role from the “Select a role” drop-down menu.
- Click the “Save” button to save the changes.
Repeat these steps for all the buckets that have write configuration.
To list all buckets which have Write Configuration enabled in GCP, you can use the following command in the GCP CLI:
gsutil ls -L | grep -B 3 -i "allUsers:WRITE"
This command will list all the buckets with Write Configuration enabled. To remediate this issue, you can follow the below steps:
- Open the GCP Console and navigate to the Cloud Storage page.
- Click on the name of the bucket that has Write Configuration enabled.
- Click on the “Permissions” tab.
- Under the “Public access prevention” section, select “Enforced by organization policy”.
- Click “Save”.
This will prevent any public user from having Write Configuration access to the bucket.
To list all the buckets which have write configuration in GCP, you can use the following Python code:
from google.cloud import storage
# create a client object
client = storage.Client()
# list all the buckets
buckets = list(client.list_buckets())
# iterate over the buckets and check if it has write configuration
for bucket in buckets:
bucket_acl = bucket.acl
for entry in bucket_acl:
if entry.role == "WRITER":
print(f"{bucket.name} has write configuration")
To remediate this misconfiguration, you can remove the WRITER role from the bucket’s ACL. You can use the following Python code to do this:
from google.cloud import storage
# create a client object
client = storage.Client()
# get the bucket object
bucket = client.get_bucket('bucket-name')
# get the bucket's ACL
bucket_acl = bucket.acl
# remove the writer role from the bucket's ACL
bucket_acl.all().revoke_role('WRITER')
# save the updated ACL
bucket_acl.save()
Note: Make sure to replace bucket-name with the actual name of the bucket. Also, make sure you have the necessary permissions to modify the bucket’s ACL.