More Info:

Ensure that cloud Storage buckets do not allow All Authenticated Users to Write (“allAuthenticatedUsers” must not have “WRITER” roles)

Risk Level

High

Address

Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

To remediate the issue of GCP buckets allowing all authenticated users to write, you can follow these steps:
  1. Go to the GCP console and select the project where the bucket is located.
  2. Navigate to the Cloud Storage section and select the bucket that needs to be remediated.
  3. Click on the “Permissions” tab on the left-hand side of the screen.
  4. Under the “Members” section, find the “allAuthenticatedUsers” entry and click on the pencil icon next to it to edit the permissions.
  5. In the “Add members” field, type “allUsers” and select the “Storage Object Viewer” role from the dropdown menu.
  6. Click on the “Save” button to apply the changes.
  7. Next, find the “allAuthenticatedUsers” entry again, and this time, click on the trash can icon to remove it.
  8. Click on the “Save” button to apply the changes.
  9. Finally, verify that the bucket no longer allows all authenticated users to write by attempting to upload a file to the bucket with an authenticated user account that does not have write access. The upload should fail with an access denied error.
By following these steps, you should be able to remediate the misconfiguration of GCP buckets allowing all authenticated users to write.

To remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell in your GCP Console.
  2. Run the following command to list all the buckets in your project:
gcloud storage buckets list
  1. Choose the bucket that you want to remediate.
  2. Run the following command to remove all authenticated users’ write access from the bucket:
gsutil iam ch allAuthenticatedUsers:objectAdmin gs://[BUCKET_NAME]Note: Replace [BUCKET_NAME] with the actual name of your bucket.
  1. Verify that the remediation is successful by running the following command:
gsutil iam get gs://[BUCKET_NAME]This command should return the access control list (ACL) for the bucket, which should not contain any entry for allAuthenticatedUsers with the role objectAdmin.By following these steps, you can remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using GCP CLI.
To remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using python, follow these steps:
  1. First, you need to install the Google Cloud Storage python library using the following command:
pip install google-cloud-storage
  1. Next, you need to authenticate with your GCP account using the following command:
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
  1. Now, you can list all the buckets in your GCP project using the following code:
from google.cloud import storage

storage_client = storage.Client(credentials=credentials)
buckets = storage_client.list_buckets()

for bucket in buckets:
    print(bucket.name)
  1. Once you have identified the bucket that allows all authenticated users to write, you can update its permissions using the following code:
from google.cloud import storage
from google.cloud.storage import Bucket

storage_client = storage.Client(credentials=credentials)
bucket = Bucket(storage_client, '<bucket_name>')

all_authenticated_users = storage.all_authenticated()

bucket.acl.loaded = False
bucket.acl.save(acl=all_authenticated_users, role='READER')
This code will remove the “WRITER” role for all authenticated users and grant them only the “READER” role. This will ensure that they cannot write to the bucket.Note: Make sure to replace <path_to_service_account_key_file> and <bucket_name> with the appropriate values in the code.