GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Buckets Should Not Allow All Users to Write
More Info:
Ensure that cloud Storage buckets do not allow All Users to Write (“allUsers” must not have “WRITER” roles)
Risk Level
High
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP console:
- Open the GCP console and go to the Cloud Storage page.
- Click on the name of the bucket that you want to remediate.
- Click on the “Edit bucket permissions” button at the top of the page.
- Scroll down to the “Add members” section and click on the “Select a role” dropdown menu.
- Choose the “Storage Object Creator” role from the list of options.
- In the “New members” field, enter the email addresses of the users or groups that you want to grant write access to.
- Click on the “Add” button to add the selected users or groups to the “Members” list.
- In the “Members” list, select the new members that you just added and click on the “Edit” button.
- In the “Edit members” dialog box, select the “Storage Object Creator” role from the “Role” dropdown menu.
- Click on the “Save” button to save the changes.
- Repeat steps 6-10 for each user or group that needs write access to the bucket.
- Click on the “Save” button at the bottom of the page to save the changes.
By following these steps, you have successfully remediated the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP console.
To remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP CLI, follow these steps:
-
Open the Google Cloud Console and navigate to the Cloud Shell.
-
In the Cloud Shell, type the following command to list all the buckets in your project:
gsutil ls -
Identify the bucket that has the misconfiguration and note down its name.
-
Type the following command to remove the public write access from the bucket:
gsutil iam ch -d allUsers:objectCreator gs://[BUCKET_NAME]Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
-
Verify that the public write access has been removed by running the following command:
gsutil iam get gs://[BUCKET_NAME]This command will display the IAM policy for the bucket. Verify that the “allUsers” entity does not have the “roles/storage.objectCreator” role.
-
Repeat steps 4 and 5 for any other buckets in your project that have the misconfiguration.
By following these steps, you have successfully remediated the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP CLI.
To remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using Python, you can follow the below steps:
- First, you need to authenticate with GCP using the
google-authandgoogle-auth-oauthliblibraries. You can use the following code to authenticate:
from google.oauth2 import service_account
from google.cloud import storage
# Replace [PATH_TO_SERVICE_ACCOUNT_JSON] with the path to your service account JSON file
credentials = service_account.Credentials.from_service_account_file('[PATH_TO_SERVICE_ACCOUNT_JSON]')
client = storage.Client(credentials=credentials)
- Next, you need to list all the buckets in your GCP project using the following code:
buckets = client.list_buckets()
- For each bucket, you need to check if the
allUsersgroup has theWRITERrole. You can do this using the following code:
for bucket in buckets:
bucket_acl = bucket.acl
for entry in bucket_acl:
if entry.scope.type == 'AllAuthenticatedUsers' and entry.role == 'WRITER':
entry.role = 'READER'
bucket_acl.save()
- The above code will change the
WRITERrole of theallUsersgroup toREADER. You can verify the changes by running the following code:
for bucket in buckets:
bucket_acl = bucket.acl
for entry in bucket_acl:
if entry.scope.type == 'AllAuthenticatedUsers':
print(f'{entry.scope.type}: {entry.role}')
This code will print the access level of all the users and groups for each bucket. You should see that the allUsers group now has the READER role instead of the WRITER role.
Note: This code assumes that you have the necessary permissions to modify the bucket access control lists.