More Info:

Ensure that cloud Storage buckets do not allow All Users to Read (“allUsers” must not have “READER” roles)

Risk Level

Critical

Address

Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

To remediate the issue of “Buckets should not allow all users reads” for GCP using GCP console, you can follow these steps:
  1. Open the GCP Console and go to the Cloud Storage section.
  2. Select the bucket that you want to remediate.
  3. Click on the “Permissions” tab.
  4. Under the “Members” section, find the “allUsers” entry.
  5. Click on the “Edit” button next to “allUsers”.
  6. In the “Select a role” dropdown, select “Storage Object Viewer”.
  7. Click on the “Save” button to save the changes.
  8. Verify that the “allUsers” entry now has the “Storage Object Viewer” role assigned to it.
By following these steps, you have successfully remediated the issue of “Buckets should not allow all users reads” for the selected bucket in GCP using GCP console.

To remediate the issue of buckets allowing all users reads in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP console.
  2. Run the following command to list all the buckets in your project: 
gsutil ls
  1. Identify the bucket that is allowing all users to read.
  2. Run the following command to revoke the permissions for all users to read the bucket: 
gsutil iam ch -d allUsers:objectViewer gs://[BUCKET_NAME]
Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
  1. Verify that the permissions have been revoked by running the following command:
gsutil iam get gs://[BUCKET_NAME]
This command will display the current IAM policy for the bucket.
  1. Check the IAM policy to ensure that only authorized users have access to the bucket.
  2. Repeat the above steps for all the buckets in your project that are allowing all users to read.
By following these steps, you can remediate the issue of buckets allowing all users reads in GCP using GCP CLI.
To remediate the issue of allowing all users to read buckets in GCP using Python, you can follow the below steps:
  1. First, you need to authenticate with GCP using the service account key. You can create a service account and download the JSON key file from the GCP console.
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path/to/service_account_key.json>')
  1. Next, you need to import the necessary libraries to interact with GCP Storage.
from google.cloud import storage
from google.cloud.storage import Bucket
  1. Now, create a client object to interact with GCP Storage.
client = storage.Client(credentials=credentials)
  1. Get a list of all the buckets in the project.
buckets = client.list_buckets()
  1. For each bucket, check if the allUsers entity has the storage.objects.get permission. If it does, remove the permission.
for bucket in buckets:
    bucket: Bucket
    if bucket.acl.all_authenticated().grant('storage.objects.get') is not None:
        bucket.acl.all_authenticated().revoke('storage.objects.get')
  1. Finally, confirm that the allUsers entity does not have the storage.objects.get permission.
for bucket in buckets:
    bucket: Bucket
    print(bucket.acl.all_authenticated().has_permission('storage.objects.get'))
This Python script will remediate the issue of allowing all users to read buckets in GCP by removing the storage.objects.get permission for the allUsers entity.