GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Buckets Should Not Allow All Users Reads
More Info:
Ensure that cloud Storage buckets do not allow All Users to Read (“allUsers” must not have “READER” roles)
Risk Level
Critical
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the issue of “Buckets should not allow all users reads” for GCP using GCP console, you can follow these steps:
-
Open the GCP Console and go to the Cloud Storage section.
-
Select the bucket that you want to remediate.
-
Click on the “Permissions” tab.
-
Under the “Members” section, find the “allUsers” entry.
-
Click on the “Edit” button next to “allUsers”.
-
In the “Select a role” dropdown, select “Storage Object Viewer”.
-
Click on the “Save” button to save the changes.
-
Verify that the “allUsers” entry now has the “Storage Object Viewer” role assigned to it.
By following these steps, you have successfully remediated the issue of “Buckets should not allow all users reads” for the selected bucket in GCP using GCP console.
To remediate the issue of buckets allowing all users reads in GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to list all the buckets in your project:
gsutil ls
-
Identify the bucket that is allowing all users to read.
-
Run the following command to revoke the permissions for all users to read the bucket:
gsutil iam ch -d allUsers:objectViewer gs://[BUCKET_NAME]
Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
- Verify that the permissions have been revoked by running the following command:
gsutil iam get gs://[BUCKET_NAME]
This command will display the current IAM policy for the bucket.
-
Check the IAM policy to ensure that only authorized users have access to the bucket.
-
Repeat the above steps for all the buckets in your project that are allowing all users to read.
By following these steps, you can remediate the issue of buckets allowing all users reads in GCP using GCP CLI.
To remediate the issue of allowing all users to read buckets in GCP using Python, you can follow the below steps:
- First, you need to authenticate with GCP using the service account key. You can create a service account and download the JSON key file from the GCP console.
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path/to/service_account_key.json>')
- Next, you need to import the necessary libraries to interact with GCP Storage.
from google.cloud import storage
from google.cloud.storage import Bucket
- Now, create a client object to interact with GCP Storage.
client = storage.Client(credentials=credentials)
- Get a list of all the buckets in the project.
buckets = client.list_buckets()
- For each bucket, check if the
allUsersentity has thestorage.objects.getpermission. If it does, remove the permission.
for bucket in buckets:
bucket: Bucket
if bucket.acl.all_authenticated().grant('storage.objects.get') is not None:
bucket.acl.all_authenticated().revoke('storage.objects.get')
- Finally, confirm that the
allUsersentity does not have thestorage.objects.getpermission.
for bucket in buckets:
bucket: Bucket
print(bucket.acl.all_authenticated().has_permission('storage.objects.get'))
This Python script will remediate the issue of allowing all users to read buckets in GCP by removing the storage.objects.get permission for the allUsers entity.