Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Bucket Policies with Administrative Permissions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the IAM policy associated with your Google Cloud Storage buckets does not have privileged, administrative permissions in order to promote the Principle of Least Privilege (POLP) and provide the principals the minimal amount of access required to perform their tasks.

Security

One of the most prevalent security vulnerabilities in Google Cloud Storage is misconfigured access permissions. Predefined administrator roles often grant extensive privileges, which, when assigned to Cloud Storage buckets, can pose significant security risks. To mitigate these risks, it's crucial to avoid granting admin privileges to Cloud Storage buckets. Such excessive permissions can inadvertently lead to unauthorized access, data breaches, and misuse. By adhering to the Principle of Least Privilege (POLP), you can significantly enhance access security. This principle dictates granting only the minimum necessary permissions to perform the required tasks, thereby reducing the potential attack surface and limiting the impact of any unauthorized access.

Audit

To determine if your Google Cloud Storage buckets are configured with admin permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the left navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected GCP project.

05 Click on the name (link) of the storage bucket that you want to examine, listed in the Name column.

06 Select the PERMISSIONS tab to access the permissions (i.e., IAM policy) defined for selected bucket.

07 In the Permissions section, select the VIEW BY PRINCIPALS tab to display the principals (members) that have access to the selected resource.

08 Click inside the Filter box and perform the following actions:

  1. Select Role, type Owner, and press Enter to return the principals with the Owner role.
  2. Select OR, choose Role, type Editor, and press Enter to return the members with the Editor role.
  3. Select OR, choose Role, type Admin or admin, and press Enter to return the principals with administrator-based roles (i.e., roles containing Admin or admin in their name).
  4. Select Inheritance and choose No inheritance to return the principals that have non-inherited roles.

09 If the filtering process performed at the previous step returns one or more principals, the IAM policy associated with the selected Google Cloud Storage bucket is configured with administrative permissions.

10 Repeat steps no. 5 – 9 for each storage bucket available within the selected project.

11 Repeat steps no. 2 – 10 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run storage buckets list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage bucket created for the specified GCP project: 

gcloud storage buckets list
	--project cc-project5-123123
	--format="value(name)"

04 The command output should return the requested bucket names: 

cc-webdata-bucket
cc-dataproc-bucket
cc-cloud-ai-bucket

05 Run storage buckets get-iam-policy command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to examine as the identifier parameter and custom output filters to describe the IAM policy configured for the selected bucket: 

gcloud storage buckets get-iam-policy gs://cc-webdata-bucket
	--format="default(bindings)"

06 The command output should return the requested IAM policy bindings: 

bindings:
- members:
	- serviceAccount:123456789012@cloudservices.gserviceaccount.com
	- user:username@domain.com
	role: roles/editor
- members:
	- user:username@domain.com
	role: roles/owner
- members:
	- user:username@domain.com
	role: roles/storage.admin
- members:
	- group:cloud-storage-analytics@google.com
	role: roles/storage.objectCreator

Check the name of each IAM role (i.e., role property value) returned by the storage buckets get-iam-policy command output to determine the permissions granted to the principals (members) defined for the associated IAM policy. If one or more principals have the role property set to roles/owner, roles/editor, and/or roles/*admin (i.e., roles containing Admin or admin in their name), as shown in the example above, the IAM policy associated with the selected Google Cloud Storage bucket is configured with administrative permissions.

07 Repeat steps no. 5 and 6 for each storage bucket created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud Storage buckets are not configured with admin permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the left navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected GCP project.

05 Click on the name (link) of the storage bucket that you want to configure, listed in the Name column.

06 Select the PERMISSIONS tab to access the permissions (i.e., IAM policy) defined for selected bucket.

07 In the Permissions section, select the VIEW BY PRINCIPALS tab to display the principals (members) that have access to the selected resource.

08 Choose the principal with admin privileges that you want to configure and click on the Edit principal button (i.e., pencil icon) to modify the member permissions. The panel with the principal permissions opens.

09 In the Assign roles section, perform the following actions:

  1. Identify the administrator-based roles (i.e. *Admin, *admin, Editor, and Owner) assigned to the selected principal and click on the Delete role button (i.e., bin icon) next to each admin role to remove the role binding.
  2. Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the selected identity access requirements.

10 Choose SAVE to apply the permission changes.

11 Repeat steps no. 5 – 10 for each storage bucket that you want to configure, created within the selected project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run storage buckets remove-iam-policy-binding command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to configure as the identifier parameter, to remove the administrator-based binding from the IAM policy associated with selected bucket: 

gcloud storage buckets remove-iam-policy-binding gs://cc-webdata-bucket
	--member=user:username@domain.com
	--role=roles/storage.admin

02 The command output should return the modified IAM policy: 

bindings:
- members:
	- serviceAccount:123456789012@cloudservices.gserviceaccount.com
	- user:username@domain.com
	role: roles/editor
- members:
	- user:username@domain.com
	role: roles/owner
- members:
	- group:cloud-storage-analytics@google.com
	role: roles/storage.objectCreator
etag: ABCD
kind: storage#policy
resourceId: projects/_/buckets/cc-webdata-bucket
version: 1

03 Run storage buckets add-iam-policy-binding command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to configure as the identifier parameter, to add a new binding to the IAM policy associated with selected bucket. Use the --role parameter to specify the IAM role required by the selected principal, that follows the Principle of Least Privilege (POLP). As an example, the following command assigns the Storage Object Viewer (i.e., roles/storage.objectViewer) to the specified principal: 

gcloud storage buckets add-iam-policy-binding gs://cc-webdata-bucket
	--member=user:username@domain.com
	--role=roles/storage.objectViewer

04 The command output should return the modified IAM policy: 

bindings:
- members:
	- serviceAccount:123456789012@cloudservices.gserviceaccount.com
	- user:username@domain.com
	role: roles/editor
- members:
	- user:username@domain.com
	role: roles/owner
- members:
	- group:cloud-storage-analytics@google.com
	role: roles/storage.objectCreator
- members:
	- user:username@domain.com
	role: roles/storage.objectViewer
etag: ABCD
kind: storage#policy
resourceId: projects/_/buckets/cc-webdata-bucket
version: 1

05 Repeat steps no. 1 - 4 for each storage bucket that you want to configure, available in the selected project.

06 Repeat steps no. 1 – 5 for each project created within your Google Cloud account.

References

Publication date Dec 17, 2024

Related CloudStorage rules