More Info:

Ensure that cloud Storage buckets do not allow All Users to Write (“allUsers” must not have “WRITER” roles)

Risk Level

High

Address

Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP console:
  1. Open the GCP console and go to the Cloud Storage page.
  2. Click on the name of the bucket that you want to remediate.
  3. Click on the “Edit bucket permissions” button at the top of the page.
  4. Scroll down to the “Add members” section and click on the “Select a role” dropdown menu.
  5. Choose the “Storage Object Creator” role from the list of options.
  6. In the “New members” field, enter the email addresses of the users or groups that you want to grant write access to.
  7. Click on the “Add” button to add the selected users or groups to the “Members” list.
  8. In the “Members” list, select the new members that you just added and click on the “Edit” button.
  9. In the “Edit members” dialog box, select the “Storage Object Creator” role from the “Role” dropdown menu.
  10. Click on the “Save” button to save the changes.
  11. Repeat steps 6-10 for each user or group that needs write access to the bucket.
  12. Click on the “Save” button at the bottom of the page to save the changes.
By following these steps, you have successfully remediated the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP console.

To remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and navigate to the Cloud Shell.
  2. In the Cloud Shell, type the following command to list all the buckets in your project:
    gsutil ls
    
  3. Identify the bucket that has the misconfiguration and note down its name.
  4. Type the following command to remove the public write access from the bucket:
    gsutil iam ch -d allUsers:objectCreator gs://[BUCKET_NAME]
    
    Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
  5. Verify that the public write access has been removed by running the following command:
    gsutil iam get gs://[BUCKET_NAME]
    
    This command will display the IAM policy for the bucket. Verify that the “allUsers” entity does not have the “roles/storage.objectCreator” role.
  6. Repeat steps 4 and 5 for any other buckets in your project that have the misconfiguration.
By following these steps, you have successfully remediated the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP CLI.
To remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using Python, you can follow the below steps:
  1. First, you need to authenticate with GCP using the google-auth and google-auth-oauthlib libraries. You can use the following code to authenticate:
from google.oauth2 import service_account
from google.cloud import storage

# Replace [PATH_TO_SERVICE_ACCOUNT_JSON] with the path to your service account JSON file
credentials = service_account.Credentials.from_service_account_file('[PATH_TO_SERVICE_ACCOUNT_JSON]')
client = storage.Client(credentials=credentials)
  1. Next, you need to list all the buckets in your GCP project using the following code:
buckets = client.list_buckets()
  1. For each bucket, you need to check if the allUsers group has the WRITER role. You can do this using the following code:
for bucket in buckets:
    bucket_acl = bucket.acl
    for entry in bucket_acl:
        if entry.scope.type == 'AllAuthenticatedUsers' and entry.role == 'WRITER':
            entry.role = 'READER'
            bucket_acl.save()
  1. The above code will change the WRITER role of the allUsers group to READER. You can verify the changes by running the following code:
for bucket in buckets:
    bucket_acl = bucket.acl
    for entry in bucket_acl:
        if entry.scope.type == 'AllAuthenticatedUsers':
            print(f'{entry.scope.type}: {entry.role}')
This code will print the access level of all the users and groups for each bucket. You should see that the allUsers group now has the READER role instead of the WRITER role.Note: This code assumes that you have the necessary permissions to modify the bucket access control lists.