Buckets Should Not Allow All Authenticated Users to Write
More Info:
Ensure that cloud Storage buckets do not allow All Authenticated Users to Write (“allAuthenticatedUsers” must not have “WRITER” roles)Risk Level
HighAddress
SecurityCompliance Standards
NISTTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of GCP buckets allowing all authenticated users to write, you can follow these steps:
- Go to the GCP console and select the project where the bucket is located.
- Navigate to the Cloud Storage section and select the bucket that needs to be remediated.
- Click on the “Permissions” tab on the left-hand side of the screen.
- Under the “Members” section, find the “allAuthenticatedUsers” entry and click on the pencil icon next to it to edit the permissions.
- In the “Add members” field, type “allUsers” and select the “Storage Object Viewer” role from the dropdown menu.
- Click on the “Save” button to apply the changes.
- Next, find the “allAuthenticatedUsers” entry again, and this time, click on the trash can icon to remove it.
- Click on the “Save” button to apply the changes.
- Finally, verify that the bucket no longer allows all authenticated users to write by attempting to upload a file to the bucket with an authenticated user account that does not have write access. The upload should fail with an access denied error.
Using CLI
Using CLI
To remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using GCP CLI, follow the below steps:
- Open the Cloud Shell in your GCP Console.
- Run the following command to list all the buckets in your project:
gcloud storage buckets list- Choose the bucket that you want to remediate.
- Run the following command to remove all authenticated users’ write access from the bucket:
gsutil iam ch allAuthenticatedUsers:objectAdmin gs://[BUCKET_NAME]Note: Replace [BUCKET_NAME] with the actual name of your bucket.- Verify that the remediation is successful by running the following command:
gsutil iam get gs://[BUCKET_NAME]This command should return the access control list (ACL) for the bucket, which should not contain any entry for allAuthenticatedUsers with the role objectAdmin.By following these steps, you can remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using GCP CLI.Using Python
Using Python
To remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using python, follow these steps:This code will remove the “WRITER” role for all authenticated users and grant them only the “READER” role. This will ensure that they cannot write to the bucket.Note: Make sure to replace
- First, you need to install the Google Cloud Storage python library using the following command:
- Next, you need to authenticate with your GCP account using the following command:
- Now, you can list all the buckets in your GCP project using the following code:
- Once you have identified the bucket that allows all authenticated users to write, you can update its permissions using the following code:
<path_to_service_account_key_file> and <bucket_name> with the appropriate values in the code.