Bucket Should Not Allow Global Access

More Info:

Ensures Storage bucket policies do not allow global write, delete, or read permissions. Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts.

Risk Level

Critical

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the “Bucket Should Not Allow Global Access” misconfiguration for GCP using GCP console, follow these steps:

Go to the GCP console and select the project that contains the bucket with global access.
Navigate to the Cloud Storage section of the console.
Find the bucket that is allowing global access and click on its name to open its details page.
Click on the “Permissions” tab.
Scroll down to the “Public access prevention” section and click on the “Edit” button.
In the “Public access prevention” window, select the “Enforced by Bucket Policy” option.
Click on the “Save” button to apply the changes.
Next, click on the “Bucket Policy” tab.
In the bucket policy editor, enter the following JSON code to deny all public access to the bucket:

{
  "bindings": [
    {
      "members": [
        "allUsers"
      ],
      "role": "roles/storage.objectViewer"
    }
  ],
  "effect": "deny",
  "condition": {
    "bool": {
      "values": [
        true
      ]
    }
  }
}

Click on the “Save” button to apply the policy.

After following these steps, the bucket will no longer allow global access and all public access will be denied.

Using CLI

To remediate the bucket should not allow global access misconfiguration in GCP using GCP CLI, follow these steps:

Open the Google Cloud Console and navigate to the Cloud Shell.
Run the following command to list all the buckets in your project:
```
gsutil ls
```
Identify the bucket that has global access enabled.
Run the following command to remove the public access from the bucket:
```
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
```
Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
Run the following command to verify that the public access has been removed:
```
gsutil iam get gs://[BUCKET_NAME]
```
This command will display the IAM policy for the bucket. Verify that the “allUsers” entity no longer has the “roles/storage.objectViewer” role.
Repeat steps 3 to 5 for all the buckets in your project that have global access enabled.

By following these steps, you can remediate the bucket should not allow global access misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “Bucket Should Not Allow Global Access” misconfiguration in GCP using Python, you can follow the below steps:Step 1: Install and import the required libraries

!pip install google-cloud-storage
from google.cloud import storage

Step 2: Authenticate with GCP using service account credentials

storage_client = storage.Client.from_service_account_json('path/to/service_account.json')

Step 3: Get the bucket object that you want to remediate

bucket_name = "your-bucket-name"
bucket = storage_client.get_bucket(bucket_name)

Step 4: Set the bucket’s IAM policy to deny all public access

policy = bucket.get_iam_policy(requested_policy_version=3)
policy.bindings.append(
    {
        "role": "roles/storage.objectViewer",
        "members": {"allUsers"},
        "condition": {
            "title": "Deny access to objects if they are not authenticated",
            "description": "Requests from user accounts without authentication are not allowed.",
            "expression": "request.auth != null",
        },
    }
)
bucket.set_iam_policy(policy)

Step 5: Verify that the bucket’s IAM policy has been updated to deny all public access

policy = bucket.get_iam_policy(requested_policy_version=3)
for binding in policy.bindings:
    if binding["role"] == "roles/storage.objectViewer" and "allUsers" in binding["members"]:
        print("Global access has been denied.")

By following these steps, you can remediate the “Bucket Should Not Allow Global Access” misconfiguration in GCP using Python.

Additional Reading:

https://cloud.google.com/storage/docs/access-control/iam

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Bucket Should Not Allow Global Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: