Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secure CORS Configuration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Cross-Origin Resource Sharing (CORS) configuration set for your Google Cloud Storage buckets only allow trusted origins in order to prevent unauthorized data access from web applications. The trusted, authorized origins must be configured in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

Security

To prevent unauthorized access and protect sensitive data, ensure that Cross-Origin Resource Sharing (CORS) configurations for Google Cloud Storage buckets only allow trusted origins restricts who can interact with your resources via cross-origin requests, reducing the risk of security vulnerabilities like data exfiltration or malicious exploitation.

Audit

To determine if the CORS configuration for your Cloud Storage buckets is compliant, perform the following operations:

Getting the CORS configuration for Cloud Storage buckets is not currently suported by Google Cloud Platform (GCP) console.

Using GCP CLI

01 Sign in to your Trend Cloud One™ account, access Secure CORS Configuration conformity rule settings, and identify the trusted origin(s) configured for Cross-Origin Resource Sharing (CORS).

02 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

03 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

04 Run storage buckets list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage bucket created for the specified GCP project: 

gcloud storage buckets list
	--project cc-project5-123123
	--format="value(name)"

05 The command output should return the requested bucket names: 

cc-webdata-bucket
cc-dataproc-bucket
cc-cloud-ai-bucket

06 Run storage buckets describe command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to examine as the identifier parameter and custom output filters to describe the Cross-Origin Resource Sharing (CORS) configuration available for the selected bucket: 

gcloud storage buckets describe gs://cc-webdata-bucket
	--format="yaml(cors_config[].origin)"

07 The command output should return the originating domain configured for CORS: 

cors_config:
- origin:
	- https://domain.appspot.com

If the storage buckets describe command output returns null, there is no Cross-Origin Resource Sharing (CORS) configuration available for the selected bucket. If the command output returns an originating domain, as shown in the example above, compare it to the trusted origin domains identified in step 1. If the originating domain is not listed in the conformity rule settings, the CORS configuration set for the selected Google Cloud Storage bucket is not secure and compliant.

08 Repeat steps no. 6 and 7 for each storage bucket created for the selected GCP project.

09 Repeat steps no. 3 – 8 for each GCP project available within your Google Cloud account.

Remediation / Resolution

To ensure that Cross-Origin Resource Sharing (CORS) configuration for your Google Cloud Storage buckets is compliant, perform the following operations:

Configuring CORS for Cloud Storage buckets is not currently suported by Google Cloud Platform (GCP) console.

Using GCP CLI

01 Define the CORS configuration for your storage bucket and save the configuration document to a JSON file named cc-cors-config.json. This document should contain CORS configuration information, such as HTTP methods and authorized originating domains (as configured in the conformity rule settings), that identify the types of requests the bucket can accept: 

[
	{
		"origin": ["https://trusted-domain.appspot.com"],
		"method": ["GET"],
		"responseHeader": ["Content-Type"],
		"maxAgeSeconds": 3600
	}
]

02 Run storage buckets update command (Windows/macOS/Linux) to set a secure, compliant Cross-Origin Resource Sharing (CORS) configuration for your Google Cloud Storage bucket. Use the --cors-file parameter to specify the CORS configuration defined at the previous step (i.e., cc-cors-config.json file): 

gcloud storage buckets update gs://cc-webdata-bucket
	--cors-file=cc-cors-config.json

03 The command output should return the bucket update status: 

Updating gs://cc-webdata-bucket/...
Completed 1

04 (Optional) To remove the Cross-Origin Resource Sharing (CORS) configuration from your storage bucket, run storage buckets update command (Windows/macOS/Linux) with the --clear-cors parameter: 

gcloud storage buckets update gs://cc-webdata-bucket
	--clear-cors

05 The command output should return the bucket update status: 

Updating gs://cc-webdata-bucket/...
Completed 1

06 Repeat steps no. 1 - 3 for each storage bucket that you want to configure, available in the selected GCP project.

07 Repeat steps no. 1 – 6 for each GCP project created within your Google Cloud account.

References

Publication date Dec 17, 2024

Related CloudStorage rules