Enforce Public Access Prevention

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the left navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected GCP project.

05 Click on the name (link) of the storage bucket that you want to examine, listed in the Name column.

06 Select the CONFIGURATION tab to access the configuration settings available for selected bucket.

07 In the Permissions section, check the Public access prevention configuration attribute value to determine the Public Access Prevention feature status. If Public access prevention is set to Not enabled by org policy or bucket setting or Not enabled via bucket setting; org policy status unavailable, Public Access Prevention is not enabled for the selected Google Cloud Storage bucket.

08 If your storage bucket is contained within an organization, you can check the Public Access Prevention feature status by using the Enforce Public Access Prevention constraint policy. To check the constraint policy, click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that contains your bucket.

09 Navigate to Organization policies page available at https://console.cloud.google.com/iam-admin/orgpolicies to access the list with the constraint policies available for your GCP organization.

10 Click inside the Filter by constraint name, ID, or type filter box, select Name, type Enforce Public Access Prevention and press Enter to return the Enforce Public Access Prevention policy.

11 Click on the name (link) of the constraint policy returned at the previous step.

12 In the Effective policy section, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the Enforce Public Access Prevention constraint policy is not enforced within your Google Cloud organization. Therefore, Public Access Prevention is not enabled for your Cloud Storage bucket.

13 Repeat steps no. 5 – 12 for each storage bucket available within the selected GCP project.

14 Repeat steps no. 2 – 13 for each GCP project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

cc-project5-123123
cc-ai-project-123123

03 Run storage buckets list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage bucket created for the specified GCP project:

gcloud storage buckets list
	--project cc-project5-123123
	--format="value(name)"

04 The command output should return the requested bucket names:

cc-webdata-bucket
cc-dataproc-bucket
cc-cloud-ai-bucket

05 Run storage buckets describe command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to examine as the identifier parameter and custom output filters to determine the Public Access Prevention feature status available at the bucket level:

gcloud storage buckets describe gs://cc-webdata-bucket
	--format="value(public_access_prevention)"

06 The command output should return the requested feature status:

inherited

07 If your storage bucket is contained within an organization, you can check the Public Access Prevention feature status by using the organization policy constraint named storage.publicAccessPrevention. Run organizations list command (Windows/macOS/Linux) with custom output filters to list the ID of each organization available within your Google Cloud account:

gcloud organizations list
	--format="value(name)"

08 The command output should return the requested organization identifiers (IDs):

112233441122
123412341234

09 Run resource-manager org-policies describe command (Windows/macOS/Linux) with the ID of the GCP organization that contains your bucket as the identifier parameter, to describe the enforcement configuration of the Enforce Public Access Prevention constraint policy, available for the selected organization:

gcloud beta resource-manager org-policies describe constraints/storage.publicAccessPrevention
	--effective
	--organization=112233441122
	--format="default(booleanPolicy)"

10 The command request should return the requested enforcement configuration information:

booleanPolicy: {}

11 Repeat steps no. 5 - 10 for each storage bucket created for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project available within your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the left navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected GCP project.

05 Click on the name (link) of the storage bucket that you want to configure, listed in the Name column.

06 Select the PERMISSION tab to access the Permissions settings available for selected bucket.

07 In the Public access section, choose PREVENT PUBLIC ACCESS to enforce public access prevention for the selected storage bucket. Inside the Prevent public access to this bucket? box, choose CONFIRM to apply the changes. Once enabled, the Public Access Prevention feature overrides access granted to allUsers and allAuthenticatedUsers at both the bucket and object levels, restricts public sharing of existing and future bucket resources, and does not impact individual user permissions.

08 If your storage bucket is contained within an organization, you can enforce the Public Access Prevention feature by using the Enforce Public Access Prevention constraint policy. To enable the constraint policy, click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that contains your bucket.

09 Navigate to Organization policies page available at https://console.cloud.google.com/iam-admin/orgpolicies to access the list with the constraint policies available for your GCP organization.

10 Click inside the Filter by constraint name, ID, or type filter box, select Name, type Enforce Public Access Prevention and press Enter to return the Enforce Public Access Prevention policy.

11 Click on the name (link) of the constraint policy returned at the previous step, choose EDIT, and perform the following actions:

1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
2. Under Enforcement, select On to enforce the storage.publicAccessPrevention constraint policy. This policy enables public access prevention at the organization level.
3. Choose SAVE to apply the changes and enforce the storage.publicAccessPrevention policy.

12 Repeat steps no. 5 – 11 for each storage bucket that you want to configure, created within the selected GCP project.

13 Repeat steps no. 2 – 12 for each GCP project deployed in your Google Cloud account.

01 Run storage buckets update command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to configure as the identifier parameter, to enforce the Public Access Prevention feature at the bucket level:

gcloud storage buckets update gs://cc-webdata-bucket
	--public-access-prevention

02 The command output should return the bucket update status:

Updating gs://cc-webdata-bucket/...
Completed 1

03 If your storage bucket is contained within an organization, you can enforce the Public Access Prevention feature by using the storage.publicAccessPrevention constraint policy. Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) with the ID of the Google Cloud Platform (GCP) organization that you want to configure as identifier parameter, to enable the Enforce Public Access Prevention (i.e., storage.publicAccessPrevention) constraint policy for the selected organization:

gcloud beta resource-manager org-policies enable-enforce constraints/storage.publicAccessPrevention
	--organization=112233441122

04 The command output should return the configuration information available for the enforced policy:

booleanPolicy:
	enforced: true
constraint: constraints/storage.publicAccessPrevention
etag: abcdabcdabcd
updateTime: '2024-11-12T15:00:00.000Z'

05 Repeat steps no. 1 - 4 for each storage bucket that you want to configure, available in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project created within your Google Cloud account.