Buckets Should Not Allow Public Ownership

More Info:

Ensure that cloud Storage buckets do not allow All Users to have Ownership (“allUsers” must not have “OWNER” roles)

Risk Level

Critical

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Buckets Should Not Allow Public Ownership” for GCP using GCP CLI, follow these steps:

Open the Google Cloud Console and select the project in which the bucket is located.
Open the Cloud Shell by clicking on the icon on the top right corner of the console.
In the Cloud Shell, run the following command to list all the buckets in the project:

gsutil ls

Identify the bucket that has public ownership.
Run the following command to remove public ownership from the bucket:

gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]

Replace [BUCKET_NAME] with the name of the bucket that has public ownership.

Verify that public ownership has been removed by running the following command:

gsutil iam get gs://[BUCKET_NAME]

Replace [BUCKET_NAME] with the name of the bucket that has public ownership.

If the command output shows that allUsers has no permissions on the bucket, you have successfully remediated the misconfiguration.

Note: If you want to prevent public ownership from being set on new buckets, you can set a bucket-level policy that denies the allUsers group the storage.objects.get permission.

Using Python

To remediate the misconfiguration “Buckets Should Not Allow Public Ownership” in GCP, we can follow these steps using Python:

Install the Google Cloud Storage library for Python using the following command:
```
pip install google-cloud-storage
```
Create a service account with the necessary permissions to access the GCP project where the bucket is located. Download the JSON key file for the service account and save it securely.

Use the following Python code to check if any of the buckets in the project have public ownership:

from google.cloud import storage

# Replace the following values with your project ID and the path to your JSON key file
project_id = 'your-project-id'
key_path = '/path/to/your/keyfile.json'

# Authenticate with the service account
client = storage.Client.from_service_account_json(key_path)

# Get a list of all the buckets in the project
buckets = client.list_buckets(project=project_id)

# Check if any of the buckets have public ownership
for bucket in buckets:
    if bucket.iam_configuration.public_access == 'Public':
        print(f'Bucket {bucket.name} has public ownership.')

If any buckets have public ownership, use the following Python code to remove the public access:

from google.cloud import storage

# Replace the following values with your project ID and the path to your JSON key file
project_id = 'your-project-id'
key_path = '/path/to/your/keyfile.json'

# Authenticate with the service account
client = storage.Client.from_service_account_json(key_path)

# Get a list of all the buckets in the project
buckets = client.list_buckets(project=project_id)

# Remove public access from any buckets that have it
for bucket in buckets:
    if bucket.iam_configuration.public_access == 'Public':
        bucket.iam_configuration.public_access = 'None'
        bucket.patch()
        print(f'Public access removed from bucket {bucket.name}.')

Run the code to remediate the misconfiguration. Verify that the buckets no longer have public ownership by checking their IAM settings in the GCP Console.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Buckets Should Not Allow Public Ownership

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation