1. Open the GCP console and go to the Cloud Storage page.
2. Click on the name of the bucket that you want to remediate.
3. Click on the “Edit bucket permissions” button at the top of the page.
4. Scroll down to the “Add members” section and click on the “Select a role” dropdown menu.
5. Choose the “Storage Object Creator” role from the list of options.
6. In the “New members” field, enter the email addresses of the users or groups that you want to grant write access to.
7. Click on the “Add” button to add the selected users or groups to the “Members” list.
8. In the “Members” list, select the new members that you just added and click on the “Edit” button.
9. In the “Edit members” dialog box, select the “Storage Object Creator” role from the “Role” dropdown menu.
10. Click on the “Save” button to save the changes.
11. Repeat steps 6-10 for each user or group that needs write access to the bucket.
12. Click on the “Save” button at the bottom of the page to save the changes.

​

1. Open the Google Cloud Console and navigate to the Cloud Shell.
2. In the Cloud Shell, type the following command to list all the buckets in your project:
   Copy

   Ask AI

   gsutil ls
   

3. Identify the bucket that has the misconfiguration and note down its name.
4. Type the following command to remove the public write access from the bucket:
   Copy

   Ask AI

   gsutil iam ch -d allUsers:objectCreator gs://[BUCKET_NAME]
   

   Replace [BUCKET_NAME] with the name of the bucket that you identified in step 3.
5. Verify that the public write access has been removed by running the following command:
   Copy

   Ask AI

   gsutil iam get gs://[BUCKET_NAME]
   

   This command will display the IAM policy for the bucket. Verify that the “allUsers” entity does not have the “roles/storage.objectCreator” role.
6. Repeat steps 4 and 5 for any other buckets in your project that have the misconfiguration.

1. First, you need to authenticate with GCP using the google-auth and google-auth-oauthlib libraries. You can use the following code to authenticate:

from google.oauth2 import service_account
from google.cloud import storage

# Replace [PATH_TO_SERVICE_ACCOUNT_JSON] with the path to your service account JSON file
credentials = service_account.Credentials.from_service_account_file('[PATH_TO_SERVICE_ACCOUNT_JSON]')
client = storage.Client(credentials=credentials)

2. Next, you need to list all the buckets in your GCP project using the following code:

buckets = client.list_buckets()

3. For each bucket, you need to check if the allUsers group has the WRITER role. You can do this using the following code:

for bucket in buckets:
    bucket_acl = bucket.acl
    for entry in bucket_acl:
        if entry.scope.type == 'AllAuthenticatedUsers' and entry.role == 'WRITER':
            entry.role = 'READER'
            bucket_acl.save()

4. The above code will change the WRITER role of the allUsers group to READER. You can verify the changes by running the following code:

for bucket in buckets:
    bucket_acl = bucket.acl
    for entry in bucket_acl:
        if entry.scope.type == 'AllAuthenticatedUsers':
            print(f'{entry.scope.type}: {entry.role}')