More Info:

Ensures Storage bucket policies do not allow global write, delete, or read permissions. Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts.

Risk Level

Critical

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the “Bucket Should Not Allow Global Access” misconfiguration for GCP using GCP console, follow these steps:
  1. Go to the GCP console and select the project that contains the bucket with global access.
  2. Navigate to the Cloud Storage section of the console.
  3. Find the bucket that is allowing global access and click on its name to open its details page.
  4. Click on the “Permissions” tab.
  5. Scroll down to the “Public access prevention” section and click on the “Edit” button.
  6. In the “Public access prevention” window, select the “Enforced by Bucket Policy” option.
  7. Click on the “Save” button to apply the changes.
  8. Next, click on the “Bucket Policy” tab.
  9. In the bucket policy editor, enter the following JSON code to deny all public access to the bucket: 
{
  "bindings": [
    {
      "members": [
        "allUsers"
      ],
      "role": "roles/storage.objectViewer"
    }
  ],
  "effect": "deny",
  "condition": {
    "bool": {
      "values": [
        true
      ]
    }
  }
}
  1. Click on the “Save” button to apply the policy.
After following these steps, the bucket will no longer allow global access and all public access will be denied.

To remediate the bucket should not allow global access misconfiguration in GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and navigate to the Cloud Shell.
  2. Run the following command to list all the buckets in your project: 
    gsutil ls
  3. Identify the bucket that has global access enabled.
  4. Run the following command to remove the public access from the bucket: 
    gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
    Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
  5. Run the following command to verify that the public access has been removed: 
    gsutil iam get gs://[BUCKET_NAME]
    This command will display the IAM policy for the bucket. Verify that the “allUsers” entity no longer has the “roles/storage.objectViewer” role.
  6. Repeat steps 3 to 5 for all the buckets in your project that have global access enabled.
By following these steps, you can remediate the bucket should not allow global access misconfiguration in GCP using GCP CLI.
To remediate the “Bucket Should Not Allow Global Access” misconfiguration in GCP using Python, you can follow the below steps:Step 1: Install and import the required libraries
!pip install google-cloud-storage
from google.cloud import storage
Step 2: Authenticate with GCP using service account credentials
storage_client = storage.Client.from_service_account_json('path/to/service_account.json')
Step 3: Get the bucket object that you want to remediate
bucket_name = "your-bucket-name"
bucket = storage_client.get_bucket(bucket_name)
Step 4: Set the bucket’s IAM policy to deny all public access
policy = bucket.get_iam_policy(requested_policy_version=3)
policy.bindings.append(
    {
        "role": "roles/storage.objectViewer",
        "members": {"allUsers"},
        "condition": {
            "title": "Deny access to objects if they are not authenticated",
            "description": "Requests from user accounts without authentication are not allowed.",
            "expression": "request.auth != null",
        },
    }
)
bucket.set_iam_policy(policy)
Step 5: Verify that the bucket’s IAM policy has been updated to deny all public access
policy = bucket.get_iam_policy(requested_policy_version=3)
for binding in policy.bindings:
    if binding["role"] == "roles/storage.objectViewer" and "allUsers" in binding["members"]:
        print("Global access has been denied.")
By following these steps, you can remediate the “Bucket Should Not Allow Global Access” misconfiguration in GCP using Python.

Additional Reading: