Buckets Should Not Allow All Users Reads

More Info:

Ensure that cloud Storage buckets do not allow All Users to Read (“allUsers” must not have “READER” roles)

Risk Level

Critical

Address

Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the issue of buckets allowing all users reads in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP console.
Run the following command to list all the buckets in your project:

gsutil ls

Identify the bucket that is allowing all users to read.
Run the following command to revoke the permissions for all users to read the bucket:

gsutil iam ch -d allUsers:objectViewer gs://[BUCKET_NAME]

Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.

Verify that the permissions have been revoked by running the following command:

gsutil iam get gs://[BUCKET_NAME]

This command will display the current IAM policy for the bucket.

Check the IAM policy to ensure that only authorized users have access to the bucket.
Repeat the above steps for all the buckets in your project that are allowing all users to read.

By following these steps, you can remediate the issue of buckets allowing all users reads in GCP using GCP CLI.

Using Python

To remediate the issue of allowing all users to read buckets in GCP using Python, you can follow the below steps:

First, you need to authenticate with GCP using the service account key. You can create a service account and download the JSON key file from the GCP console.

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path/to/service_account_key.json>')

Next, you need to import the necessary libraries to interact with GCP Storage.

from google.cloud import storage
from google.cloud.storage import Bucket

Now, create a client object to interact with GCP Storage.

client = storage.Client(credentials=credentials)

Get a list of all the buckets in the project.

buckets = client.list_buckets()

For each bucket, check if the allUsers entity has the storage.objects.get permission. If it does, remove the permission.

for bucket in buckets:
    bucket: Bucket
    if bucket.acl.all_authenticated().grant('storage.objects.get') is not None:
        bucket.acl.all_authenticated().revoke('storage.objects.get')

Finally, confirm that the allUsers entity does not have the storage.objects.get permission.

for bucket in buckets:
    bucket: Bucket
    print(bucket.acl.all_authenticated().has_permission('storage.objects.get'))

This Python script will remediate the issue of allowing all users to read buckets in GCP by removing the storage.objects.get permission for the allUsers entity.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Buckets Should Not Allow All Users Reads

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation