Storage Bucket Logs Should Not be Publicly Accessible
More Info:
Ensure that cloud Storage bucket Logs are not Publicly Accessible by setting “publicAccessPrevention” to “enforced”.Risk Level
HighAddress
SecurityCompliance Standards
HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
Sure, I can help you with that. Here are the step by step instructions to remediate the issue “Storage Bucket Logs Should Not be Publicly Accessible” for GCP using GCP Console:
- Open the GCP Console and navigate to the Cloud Storage page.
- Select the bucket that you want to remediate.
- Click on the “Permissions” tab.
- Under the “Public access prevention” section, click on the “Edit” button.
- Set the “Prevent public access” toggle to “On”.
- Click on the “Save” button to save the changes.
- Under the “Access control” section, click on the “Add members” button.
- Enter the email address of the user or service account that you want to grant access to.
- Select the appropriate role from the “Select a role” dropdown menu.
- Click on the “Add” button to add the member and role.
- Repeat steps 7-10 for each user or service account that you want to grant access to.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the issue of publicly accessible storage bucket logs in GCP, you can follow the below steps using GCP CLI:
- Open the Cloud Shell in your GCP console.
-
Run the following command to list all the storage buckets in your GCP project:
- Identify the bucket that contains the logs which are publicly accessible.
-
Run the following command to update the bucket’s permissions and make it private:
Replace
[BUCKET_NAME]with the name of the bucket that you identified in step 3. -
Verify that the bucket’s permissions have been updated by running the following command:
It should return the updated IAM policy for the bucket.
- Finally, you can check if the bucket logs are still publicly accessible by trying to access them using a web browser or any other tool. If the remediation was successful, you should not be able to access the logs anymore.
Using Python
Using Python
To remediate the issue of publicly accessible storage bucket logs in GCP, you can use the following Python code:Explanation:
- Import the necessary libraries, including the
google.cloud.storagelibrary. - Set the name of the bucket and the name of the log object that you want to remediate.
- Create a client object to interact with the GCP storage service.
- Get the bucket object using the client and the bucket name.
- Get the log object using the bucket and the log object name.
- Set the log object’s access control to private using the
save_predefined()method of theaclattribute of the log object.