More Info:

Ensure that cloud Storage buckets do not allow All Authenticated User Reads (“allAuthenticatedUsers” must not have “READER” roles)

Risk Level

High

Address

Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Buckets Should Not Allow All Authenticated User Reads” for GCP using GCP console, follow the below steps:
  1. Open the GCP console and go to the Cloud Storage page.
  2. Select the bucket for which you want to remediate the misconfiguration.
  3. Click on the “Permissions” tab.
  4. Under the “Members” section, locate the “allAuthenticatedUsers” entry.
  5. Click on the pencil icon next to the “allAuthenticatedUsers” entry to edit its permissions.
  6. In the “Select a role” dropdown, select “Storage Legacy Bucket Reader”.
  7. Click on the “Save” button to save the changes.
By doing this, you are removing the read permission for all authenticated users and granting only the Storage Legacy Bucket Reader role permission to read the bucket.

To remediate the misconfiguration “Buckets should not allow all authenticated user reads” in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list all the buckets in your project: 
    gsutil ls
  3. Identify the bucket that allows all authenticated user reads.
  4. Run the following command to remove the allAuthenticatedUsers entity from the bucket’s IAM policy: 
    gsutil iam ch -d allAuthenticatedUsers gs://[BUCKET_NAME]
    Replace [BUCKET_NAME] with the name of the bucket that you want to remediate.
  5. Verify that the allAuthenticatedUsers entity has been removed from the bucket’s IAM policy by running the following command: 
    gsutil iam get gs://[BUCKET_NAME]
    Replace [BUCKET_NAME] with the name of the bucket that you remediated.
  6. Repeat these steps for any other buckets that allow all authenticated user reads.
By following these steps, you have successfully remediated the misconfiguration “Buckets should not allow all authenticated user reads” in GCP using GCP CLI.
To remediate the issue of buckets allowing all authenticated user reads in GCP using Python, you can use the following steps:
  1. Install the Google Cloud Storage Python library by running the following command:
pip install google-cloud-storage
  1. Authenticate with your GCP account by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your service account key file. You can create a service account and download the key file from the GCP console.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/keyfile.json
  1. Use the google-cloud-storage library to get a list of all buckets in your project.
from google.cloud import storage

client = storage.Client()
buckets = client.list_buckets()
  1. For each bucket, check if it allows all authenticated users to read. If it does, update the bucket’s IAM policy to remove the allAuthenticatedUsers role from the roles/storage.objectViewer role.
for bucket in buckets:
    policy = bucket.get_iam_policy()
    binding = policy.bindings.get("roles/storage.objectViewer")
    if binding and "allAuthenticatedUsers" in binding.members:
        binding.members.remove("allAuthenticatedUsers")
        bucket.set_iam_policy(policy)
  1. Verify that the issue has been remediated by checking the IAM policy for each bucket.
for bucket in buckets:
    policy = bucket.get_iam_policy()
    binding = policy.bindings.get("roles/storage.objectViewer")
    if binding and "allAuthenticatedUsers" in binding.members:
        print(f"Bucket {bucket.name} still allows all authenticated user reads")
    else:
        print(f"Bucket {bucket.name} has been remediated")
By following these steps, you can remediate the issue of buckets allowing all authenticated user reads in GCP using Python.