GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Buckets Should Not Allow All Authenticated User Reads
More Info:
Ensure that cloud Storage buckets do not allow All Authenticated User Reads (“allAuthenticatedUsers” must not have “READER” roles)
Risk Level
High
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration “Buckets Should Not Allow All Authenticated User Reads” for GCP using GCP console, follow the below steps:
- Open the GCP console and go to the Cloud Storage page.
- Select the bucket for which you want to remediate the misconfiguration.
- Click on the “Permissions” tab.
- Under the “Members” section, locate the “allAuthenticatedUsers” entry.
- Click on the pencil icon next to the “allAuthenticatedUsers” entry to edit its permissions.
- In the “Select a role” dropdown, select “Storage Legacy Bucket Reader”.
- Click on the “Save” button to save the changes.
By doing this, you are removing the read permission for all authenticated users and granting only the Storage Legacy Bucket Reader role permission to read the bucket.
To remediate the misconfiguration “Buckets should not allow all authenticated user reads” in GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to list all the buckets in your project:
gsutil ls -
Identify the bucket that allows all authenticated user reads.
-
Run the following command to remove the allAuthenticatedUsers entity from the bucket’s IAM policy:
gsutil iam ch -d allAuthenticatedUsers gs://[BUCKET_NAME]Replace [BUCKET_NAME] with the name of the bucket that you want to remediate.
-
Verify that the allAuthenticatedUsers entity has been removed from the bucket’s IAM policy by running the following command:
gsutil iam get gs://[BUCKET_NAME]Replace [BUCKET_NAME] with the name of the bucket that you remediated.
-
Repeat these steps for any other buckets that allow all authenticated user reads.
By following these steps, you have successfully remediated the misconfiguration “Buckets should not allow all authenticated user reads” in GCP using GCP CLI.
To remediate the issue of buckets allowing all authenticated user reads in GCP using Python, you can use the following steps:
- Install the Google Cloud Storage Python library by running the following command:
pip install google-cloud-storage
- Authenticate with your GCP account by setting the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of your service account key file. You can create a service account and download the key file from the GCP console.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/keyfile.json
- Use the
google-cloud-storagelibrary to get a list of all buckets in your project.
from google.cloud import storage
client = storage.Client()
buckets = client.list_buckets()
- For each bucket, check if it allows all authenticated users to read. If it does, update the bucket’s IAM policy to remove the
allAuthenticatedUsersrole from theroles/storage.objectViewerrole.
for bucket in buckets:
policy = bucket.get_iam_policy()
binding = policy.bindings.get("roles/storage.objectViewer")
if binding and "allAuthenticatedUsers" in binding.members:
binding.members.remove("allAuthenticatedUsers")
bucket.set_iam_policy(policy)
- Verify that the issue has been remediated by checking the IAM policy for each bucket.
for bucket in buckets:
policy = bucket.get_iam_policy()
binding = policy.bindings.get("roles/storage.objectViewer")
if binding and "allAuthenticatedUsers" in binding.members:
print(f"Bucket {bucket.name} still allows all authenticated user reads")
else:
print(f"Bucket {bucket.name} has been remediated")
By following these steps, you can remediate the issue of buckets allowing all authenticated user reads in GCP using Python.