Buckets Should Not Allow All Users to Write

More Info:

Ensure that cloud Storage buckets do not allow All Users to Write (“allUsers” must not have “WRITER” roles)

Risk Level

High

Address

Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP CLI, follow these steps:

Open the Google Cloud Console and navigate to the Cloud Shell.
In the Cloud Shell, type the following command to list all the buckets in your project:
```
gsutil ls
```
Identify the bucket that has the misconfiguration and note down its name.
Type the following command to remove the public write access from the bucket:
```
gsutil iam ch -d allUsers:objectCreator gs://[BUCKET_NAME]
```
Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
Verify that the public write access has been removed by running the following command:
```
gsutil iam get gs://[BUCKET_NAME]
```
This command will display the IAM policy for the bucket. Verify that the “allUsers” entity does not have the “roles/storage.objectCreator” role.
Repeat steps 4 and 5 for any other buckets in your project that have the misconfiguration.

By following these steps, you have successfully remediated the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Buckets Should Not Allow All Users to Write” for GCP using Python, you can follow the below steps:

First, you need to authenticate with GCP using the google-auth and google-auth-oauthlib libraries. You can use the following code to authenticate:

from google.oauth2 import service_account
from google.cloud import storage

# Replace [PATH_TO_SERVICE_ACCOUNT_JSON] with the path to your service account JSON file
credentials = service_account.Credentials.from_service_account_file('[PATH_TO_SERVICE_ACCOUNT_JSON]')
client = storage.Client(credentials=credentials)

Next, you need to list all the buckets in your GCP project using the following code:

buckets = client.list_buckets()

For each bucket, you need to check if the allUsers group has the WRITER role. You can do this using the following code:

for bucket in buckets:
    bucket_acl = bucket.acl
    for entry in bucket_acl:
        if entry.scope.type == 'AllAuthenticatedUsers' and entry.role == 'WRITER':
            entry.role = 'READER'
            bucket_acl.save()

The above code will change the WRITER role of the allUsers group to READER. You can verify the changes by running the following code:

for bucket in buckets:
    bucket_acl = bucket.acl
    for entry in bucket_acl:
        if entry.scope.type == 'AllAuthenticatedUsers':
            print(f'{entry.scope.type}: {entry.role}')

This code will print the access level of all the users and groups for each bucket. You should see that the allUsers group now has the READER role instead of the WRITER role.Note: This code assumes that you have the necessary permissions to modify the bucket access control lists.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Buckets Should Not Allow All Users to Write

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation