Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Cloud Storage Buckets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: CloudStorage-001

Ensure that the IAM policy associated with your Google Cloud Storage buckets is restricting anonymous and/or public access. Cloud Storage buckets, like other GCP resources, have Cloud Identity and Access Management (IAM) policies configured to determine who can have access to the storage resources. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from the storage bucket's IAM policy. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Misconfigured access permissions is a common security vulnerability that involves Cloud Storage resources. Granting permissions to "allUsers" and "allAuthenticatedUsers" members can allow anyone to access your buckets content. To prevent sensitive data leaks and data loss, ensure that anonymous and/or public access to your Google Cloud Storage buckets is not allowed.

Note: If you enable uniform bucket-level access, you revoke access from users who get their access exclusively through object ACLs. Certain Google Cloud Platform (GCP) services, such as Cloud Audit Logs and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.

Audit

To determine if there are any publicly accessible buckets available within your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected project.

05 Click on the name of the storage bucket that you want to examine, listed in the Name column.

06 Select the PERMISSIONS tab to access the permissions defined for selected bucket.

07 Select the VIEW BY PRINCIPALS tab and check the Principal column for any allUsers and allAuthenticatedUsers IAM principals. If the list contains one or more allUsers/allAuthenticatedUsers principals, the selected Google Cloud Storage bucket is publicly accessible. When your bucket is publicly accessible, the Cloud Storage console will also display the following message: Public to internet: This bucket is publicly accessible because allUsers or allAuthenticatedUsers have one or more permissions. Remove these principals to stop public access.

08 Repeat steps no. 5 – 7 for each storage bucket available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-project5-123123
cc-web-project-112233
cc-mobile-project-111222

03 Run gsutil ls command (using gsutil Python tool) to list the identifier (name) of each storage bucket created for the specified GCP project: 

gsutil ls -p cc-project5-123123

04 The command output should return the requested resource identifier(s): 

gs://cc-webdata-bucket/
gs://cc-project5-123123.appspot.com/

05 Run gsutil iam ch command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as the identifier parameter and custom query filters to describe name of the IAM member(s) associated with the selected bucket: 

gsutil iam get gs://cc-webdata-bucket/
  --format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated member(s): 

"projectOwner:cc-project5-123123"
"allAuthenticatedUsers"
"allUsers"

If the list of IAM member names returned by the gsutil iam ch command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Google Cloud Storage bucket is publicly accessible.

07 Repeat steps no. 5 and 6 for each storage bucket created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To remove "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated IAM policy in order to restrict anonymous and/or public access to your Google Cloud Storage buckets, perform the following operations:

Note: If you want to configure access to individual objects, you have 90 days left to switch back to fine-grained access control.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected project.

05 Click on the name of the storage bucket that you want to configure, listed in the Name column.

06 Select the PERMISSIONS tab to access the permissions defined for selected bucket.

07 Select the VIEW BY PRINCIPALS tab to display all IAM members (principals) that have access to the selected resource.

08 Select all the allUsers and allAuthenticatedUsers principals available and choose REMOVE ACCESS to initiate the removal action for the selected bindings.

09 On the removal confirmation box, choose CONFIRM to remove the allUsers and/or allAuthenticatedUsers principals.

10 You can also choose PREVENT PUBLIC ACCESS from the Public access section to revoke all public access to your bucket and its objects. Choose CONFIRM to apply the changes. This setting overrides public access on existing objects. Before enabling this setting, ensure that none of your workloads will be interrupted by this policy.

11 Repeat steps no. 5 – 10 for each storage bucket created within the selected project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run gsutil iam ch -d command (using gsutil Python tool) using the name of the publicly accessible Cloud Storage bucket that you want to configure as the identifier parameter, to remove the allUsers binding from the IAM policy associated with the selected bucket (the command request does not produce an output): 

gsutil iam ch -d allUsers gs://cc-webdata-bucket/

02 Run gsutil iam ch -d command (using gsutil tool) using the name of the publicly accessible storage bucket that you want to reconfigure as the identifier parameter, to remove the allAuthenticatedUsers member binding from the IAM policy associated with the selected bucket (the command does not return an output): 

gsutil iam ch -d allAuthenticatedUsers gs://cc-webdata-bucket/

03 Repeat steps no. 1 and 2 for each anonymously or publicly accessible bucket available in the selected project.

04 Repeat steps no. 1 – 3 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Related CloudStorage rules