Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Uniform Bucket-Level Access for Cloud Storage Buckets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudStorage-002

Ensure that uniform bucket-level access is enabled for all your Google Cloud Storage buckets. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Google Cloud Storage provides two systems for granting users permission to access your storage buckets and objects: Identity and Access Management (IAM) and Access Control Lists (ACLs). These systems can function in parallel, and for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. IAM is used throughout Google Cloud Platform (GCP) and allows you to grant a variety of permissions at the project and bucket level (uniform). ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis (fine-grained). Enabling uniform bucket-level access feature disables ACLs for all Cloud Storage resources (buckets and objects) so that the access is granted exclusively through IAM. The feature is also used to unify and simplify how you grant access to your Cloud Storage resources. By default, Google Cloud Storage buckets do not have the uniform bucket-level access feature enabled.

Note: If you enable uniform bucket-level access, you revoke access from users who get their access exclusively through object ACLs. Certain Google Cloud Platform (GCP) services, such as Cloud Audit Logs and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.

Audit

To determine the type of access control configured for your Google Cloud Storage buckets, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets created for the selected project.

05 Click on the name of the storage bucket that you want to examine.

06 Select the Overview tab to view the configuration details available for selected bucket.

07 On the Overview panel, check the Access control configuration attribute value. If the attribute value is different than Uniform, the uniform bucket-level access is not enabled for the selected Google Cloud Storage bucket.

08 Repeat step no. 5 – 7 for each storage bucket available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-111222

03 Run gsutil ls command (using gsutil Python tool) to list the identifier of each storage bucket created for the specified GCP project: 

gsutil ls -p cc-web-project-112233

04 The command output should return the requested storage resource name(s): 

gs://cc-webdata-bucket/
gs://cc-web-project-112233.appspot.com/

05 Run gsutil uniformbucketlevelaccess get command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as identifier parameter to describe the uniform bucket-level access feature configuration status for the selected bucket: 

gsutil uniformbucketlevelaccess get gs://cc-webdata-bucket/

06 The command output should return the requested feature status: 

Uniform bucket-level access setting for gs://cc-webdata-bucket:
Enabled: False

If the feature configuration status returned by the gsutil uniformbucketlevelaccess get command output is Enabled: False, as shown in the example above, the uniform bucket-level access is not enabled for the selected Google Cloud Storage bucket.

07 Repeat step no. 5 and 6 for each storage bucket created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To ensure uniform access to all the objects available within your Google Cloud Storage buckets, enable uniform bucket-level access feature by performing the following actions:

Note: If you want to configure access to individual objects, you have 90 days left to switch back to fine-grained access control.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets provisioned for the selected project.

05 Click on the name of the storage bucket that you want to reconfigure.

06 Select the Permissions tab to access the permissions available for selected bucket.

07 On the Permissions panel, click on the Edit button inside the box with the following description: "This bucket uses fine-grained access control, allowing you to specify access to individual objects. To control access uniformly at the bucket level, switch to uniform access control", to enter the edit access control mode.

08 Inside the Edit access control configuration box, perform the following:

  1. Select Uniform to enable uniform access to all objects available in the selected bucket by using only bucket-level permissions (IAM).
  2. Select the Add project role ACLs to the bucket IAM policy checkbox to ensure that the users who rely on project owner, editor, and viewer roles can still access the bucket's objects.
  3. Click SAVE to apply the changes and enable uniform bucket-level access for the selected Google Cloud Storage bucket.

09 Repeat step no. 5 – 8 to enable uniform access for other buckets available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run gsutil uniformbucketlevelaccess set on command (using gsutil Python tool) using the name of the Cloud Storage bucket that you want to reconfigure as identifier parameter, to enable the uniform bucket-level access feature for the selected bucket: 

gsutil uniformbucketlevelaccess set on gs://cc-webdata-bucket/

02 The output should return the gsutil uniformbucketlevelaccess set on command request status. 

Enabling Uniform bucket-level access for gs://cc-webdata-bucket...

03 Repeat step no. 1 and 2 to enable uniform access for other buckets available in the selected project.

04 Repeat steps no. 1 – 3 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Related CloudStorage rules