GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Buckets Should Not Allow Public Ownership
More Info:
Ensure that cloud Storage buckets do not allow All Users to have Ownership (“allUsers” must not have “OWNER” roles)
Risk Level
Critical
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Buckets Should Not Allow Public Ownership” for GCP using GCP console, please follow the below steps:
-
Open the GCP console and navigate to the Cloud Storage page.
-
Select the bucket that you want to remediate.
-
Click on the “Permissions” tab.
-
Under the “Members” section, look for any member or group that has the “Storage Object Viewer” or “Storage Object Admin” role assigned.
-
Remove the member or group by clicking on the “X” icon next to their name.
-
Repeat Step 4 and Step 5 for all members or groups that have any Storage Object role assigned.
-
Click on the “Add” button to add a new member or group.
-
In the “Add members” dialog box, enter the email address of the member or group that you want to grant access to.
-
Select the appropriate role for the member or group from the “Select a role” drop-down menu.
-
Click on the “Add” button to add the member or group to the bucket.
-
Repeat Step 8 to Step 10 for all members or groups that need access to the bucket.
-
Click on the “Save” button to save the changes.
By following these steps, you have successfully remediated the misconfiguration “Buckets Should Not Allow Public Ownership” for GCP using GCP console.
To remediate the misconfiguration “Buckets Should Not Allow Public Ownership” for GCP using GCP CLI, follow these steps:
-
Open the Google Cloud Console and select the project in which the bucket is located.
-
Open the Cloud Shell by clicking on the icon on the top right corner of the console.
-
In the Cloud Shell, run the following command to list all the buckets in the project:
gsutil ls
-
Identify the bucket that has public ownership.
-
Run the following command to remove public ownership from the bucket:
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
Replace [BUCKET_NAME] with the name of the bucket that has public ownership.
- Verify that public ownership has been removed by running the following command:
gsutil iam get gs://[BUCKET_NAME]
Replace [BUCKET_NAME] with the name of the bucket that has public ownership.
- If the command output shows that allUsers has no permissions on the bucket, you have successfully remediated the misconfiguration.
Note: If you want to prevent public ownership from being set on new buckets, you can set a bucket-level policy that denies the allUsers group the storage.objects.get permission.
To remediate the misconfiguration “Buckets Should Not Allow Public Ownership” in GCP, we can follow these steps using Python:
-
Install the Google Cloud Storage library for Python using the following command:
pip install google-cloud-storage -
Create a service account with the necessary permissions to access the GCP project where the bucket is located. Download the JSON key file for the service account and save it securely.
-
Use the following Python code to check if any of the buckets in the project have public ownership:
from google.cloud import storage # Replace the following values with your project ID and the path to your JSON key file project_id = 'your-project-id' key_path = '/path/to/your/keyfile.json' # Authenticate with the service account client = storage.Client.from_service_account_json(key_path) # Get a list of all the buckets in the project buckets = client.list_buckets(project=project_id) # Check if any of the buckets have public ownership for bucket in buckets: if bucket.iam_configuration.public_access == 'Public': print(f'Bucket {bucket.name} has public ownership.') -
If any buckets have public ownership, use the following Python code to remove the public access:
from google.cloud import storage # Replace the following values with your project ID and the path to your JSON key file project_id = 'your-project-id' key_path = '/path/to/your/keyfile.json' # Authenticate with the service account client = storage.Client.from_service_account_json(key_path) # Get a list of all the buckets in the project buckets = client.list_buckets(project=project_id) # Remove public access from any buckets that have it for bucket in buckets: if bucket.iam_configuration.public_access == 'Public': bucket.iam_configuration.public_access = 'None' bucket.patch() print(f'Public access removed from bucket {bucket.name}.') -
Run the code to remediate the misconfiguration. Verify that the buckets no longer have public ownership by checking their IAM settings in the GCP Console.