Ensures Storage bucket policies do not allow global write, delete, or read permissions. Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts.
To remediate the bucket should not allow global access misconfiguration in GCP using GCP CLI, follow these steps:
Open the Google Cloud Console and navigate to the Cloud Shell.
Run the following command to list all the buckets in your project:
Copy
Ask AI
gsutil ls
Identify the bucket that has global access enabled.
Run the following command to remove the public access from the bucket:
Copy
Ask AI
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
Run the following command to verify that the public access has been removed:
Copy
Ask AI
gsutil iam get gs://[BUCKET_NAME]
This command will display the IAM policy for the bucket. Verify that the “allUsers” entity no longer has the “roles/storage.objectViewer” role.
Repeat steps 3 to 5 for all the buckets in your project that have global access enabled.
By following these steps, you can remediate the bucket should not allow global access misconfiguration in GCP using GCP CLI.
Using Python
To remediate the “Bucket Should Not Allow Global Access” misconfiguration in GCP using Python, you can follow the below steps:Step 1: Install and import the required libraries
Step 4: Set the bucket’s IAM policy to deny all public access
Copy
Ask AI
policy = bucket.get_iam_policy(requested_policy_version=3)policy.bindings.append( { "role": "roles/storage.objectViewer", "members": {"allUsers"}, "condition": { "title": "Deny access to objects if they are not authenticated", "description": "Requests from user accounts without authentication are not allowed.", "expression": "request.auth != null", }, })bucket.set_iam_policy(policy)
Step 5: Verify that the bucket’s IAM policy has been updated to deny all public access
Copy
Ask AI
policy = bucket.get_iam_policy(requested_policy_version=3)for binding in policy.bindings: if binding["role"] == "roles/storage.objectViewer" and "allUsers" in binding["members"]: print("Global access has been denied.")
By following these steps, you can remediate the “Bucket Should Not Allow Global Access” misconfiguration in GCP using Python.