GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Buckets Should Not Allow All Authenticated Users to Write
More Info:
Ensure that cloud Storage buckets do not allow All Authenticated Users to Write (“allAuthenticatedUsers” must not have “WRITER” roles)
Risk Level
High
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the issue of GCP buckets allowing all authenticated users to write, you can follow these steps:
-
Go to the GCP console and select the project where the bucket is located.
-
Navigate to the Cloud Storage section and select the bucket that needs to be remediated.
-
Click on the “Permissions” tab on the left-hand side of the screen.
-
Under the “Members” section, find the “allAuthenticatedUsers” entry and click on the pencil icon next to it to edit the permissions.
-
In the “Add members” field, type “allUsers” and select the “Storage Object Viewer” role from the dropdown menu.
-
Click on the “Save” button to apply the changes.
-
Next, find the “allAuthenticatedUsers” entry again, and this time, click on the trash can icon to remove it.
-
Click on the “Save” button to apply the changes.
-
Finally, verify that the bucket no longer allows all authenticated users to write by attempting to upload a file to the bucket with an authenticated user account that does not have write access. The upload should fail with an access denied error.
By following these steps, you should be able to remediate the misconfiguration of GCP buckets allowing all authenticated users to write.
To remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using GCP CLI, follow the below steps:
-
Open the Cloud Shell in your GCP Console.
-
Run the following command to list all the buckets in your project:
gcloud storage buckets list
-
Choose the bucket that you want to remediate.
-
Run the following command to remove all authenticated users’ write access from the bucket:
gsutil iam ch allAuthenticatedUsers:objectAdmin gs://[BUCKET_NAME]
Note: Replace [BUCKET_NAME] with the actual name of your bucket.
- Verify that the remediation is successful by running the following command:
gsutil iam get gs://[BUCKET_NAME]
This command should return the access control list (ACL) for the bucket, which should not contain any entry for allAuthenticatedUsers with the role objectAdmin.
By following these steps, you can remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using GCP CLI.
To remediate the misconfiguration “Buckets Should Not Allow All Authenticated Users to Write” in GCP using python, follow these steps:
- First, you need to install the Google Cloud Storage python library using the following command:
pip install google-cloud-storage
- Next, you need to authenticate with your GCP account using the following command:
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
- Now, you can list all the buckets in your GCP project using the following code:
from google.cloud import storage
storage_client = storage.Client(credentials=credentials)
buckets = storage_client.list_buckets()
for bucket in buckets:
print(bucket.name)
- Once you have identified the bucket that allows all authenticated users to write, you can update its permissions using the following code:
from google.cloud import storage
from google.cloud.storage import Bucket
storage_client = storage.Client(credentials=credentials)
bucket = Bucket(storage_client, '<bucket_name>')
all_authenticated_users = storage.all_authenticated()
bucket.acl.loaded = False
bucket.acl.save(acl=all_authenticated_users, role='READER')
This code will remove the “WRITER” role for all authenticated users and grant them only the “READER” role. This will ensure that they cannot write to the bucket.
Note: Make sure to replace <path_to_service_account_key_file> and <bucket_name> with the appropriate values in the code.