Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enforce Public Access Prevention

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (act today)
Rule ID: CloudStorage-011

Ensure that Public Access Prevention feature is enabled for your Google Cloud Storage buckets in order to restrict public access to your buckets and objects, protecting your sensitive data from accidental or malicious public exposure.

Security

Public Access Prevention safeguards Google Cloud Storage buckets and objects from unintended public exposure via the internet. This feature restricts public access to data within specified buckets, preventing unauthorized individuals from viewing or accessing sensitive information. It can be applied to individual buckets or enforced organization-wide through policy constraints. While effective in protecting data, public access prevention disables web hosting capabilities for affected buckets.

Audit

To determine if Public Access Prevention is enabled for your Cloud Storage buckets, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

  4. In the left navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected GCP project.

  5. Click on the name (link) of the storage bucket that you want to examine, listed in the Name column.

  6. Select the CONFIGURATION tab to access the configuration settings available for selected bucket.

  7. In the Permissions section, check the Public access prevention configuration attribute value to determine the Public Access Prevention feature status. If Public access prevention is set to Not enabled by org policy or bucket setting or Not enabled via bucket setting; org policy status unavailable, Public Access Prevention is not enabled for the selected Google Cloud Storage bucket.

  8. If your storage bucket is contained within an organization, you can check the Public Access Prevention feature status by using the Enforce Public Access Prevention constraint policy. To check the constraint policy, click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that contains your bucket.

  9. Navigate to Organization policies page available at https://console.cloud.google.com/iam-admin/orgpolicies to access the list with the constraint policies available for your GCP organization.

  10. Click inside the Filter by constraint name, ID, or type filter box, select Name, type Enforce Public Access Prevention and press Enter to return the Enforce Public Access Prevention policy.

  11. Click on the name (link) of the constraint policy returned at the previous step.

  12. In the Effective policy section, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the Enforce Public Access Prevention constraint policy is not enforced within your Google Cloud organization. Therefore, Public Access Prevention is not enabled for your Cloud Storage bucket.

  13. Repeat steps no. 5 – 12 for each storage bucket available within the selected GCP project.

  14. Repeat steps no. 2 – 13 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

    gcloud projects list
	--format="value(projectId)"

  2. The command output should return the requested GCP project identifiers (IDs):

    cc-project5-123123
cc-ai-project-123123

  3. Run storage buckets list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage bucket created for the specified GCP project:

    gcloud storage buckets list
	--project cc-project5-123123
	--format="value(name)"

  4. The command output should return the requested bucket names:

    cc-webdata-bucket
cc-dataproc-bucket
cc-cloud-ai-bucket

  5. Run storage buckets describe command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to examine as the identifier parameter and custom output filters to determine the Public Access Prevention feature status available at the bucket level:

    gcloud storage buckets describe gs://cc-webdata-bucket
	--format="value(public_access_prevention)"

  6. The command output should return the requested feature status:

    inherited

    If the storage buckets describe command output does not return enforced, Public Access Prevention is not enabled for the selected Google Cloud Storage bucket.

  7. If your storage bucket is contained within an organization, you can check the Public Access Prevention feature status by using the organization policy constraint named storage.publicAccessPrevention. Run organizations list command (Windows/macOS/Linux) with custom output filters to list the ID of each organization available within your Google Cloud account:

    gcloud organizations list
	--format="value(name)"

  8. The command output should return the requested organization identifiers (IDs):

    112233441122
123412341234

  9. Run resource-manager org-policies describe command (Windows/macOS/Linux) with the ID of the GCP organization that contains your bucket as the identifier parameter, to describe the enforcement configuration of the Enforce Public Access Prevention constraint policy, available for the selected organization:

    gcloud beta resource-manager org-policies describe constraints/storage.publicAccessPrevention
	--effective
	--organization=112233441122
	--format="default(booleanPolicy)"

  10. The command request should return the requested enforcement configuration information:

    booleanPolicy: {}

    If the resource-manager org-policies describe command output returns an empty object for the booleanPolicy configuration attribute, as shown in the example above, the Enforce Public Access Prevention constraint policy is not enforced for the selected Google Cloud organization. Therefore, Public Access Prevention is not enabled for your Cloud Storage bucket.

  11. Repeat steps no. 5 - 10 for each storage bucket created for the selected GCP project.

  12. Repeat steps no. 3 – 11 for each GCP project available within your Google Cloud account.

Remediation / Resolution

To ensure that the Public Access Prevention feature is enabled for your Google Cloud Storage buckets in order to restrict data from being publicly accessible via the Internet, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

  3. Navigate to Cloud Storage console available at https://console.cloud.google.com/storage.

  4. In the left navigation panel, select Buckets to access the list with all the Cloud Storage buckets created for the selected GCP project.

  5. Click on the name (link) of the storage bucket that you want to configure, listed in the Name column.

  6. Select the PERMISSION tab to access the Permissions settings available for selected bucket.

  7. In the Public access section, choose PREVENT PUBLIC ACCESS to enforce public access prevention for the selected storage bucket. Inside the Prevent public access to this bucket? box, choose CONFIRM to apply the changes. Once enabled, the Public Access Prevention feature overrides access granted to allUsers and allAuthenticatedUsers at both the bucket and object levels, restricts public sharing of existing and future bucket resources, and does not impact individual user permissions.

  8. If your storage bucket is contained within an organization, you can enforce the Public Access Prevention feature by using the Enforce Public Access Prevention constraint policy. To enable the constraint policy, click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that contains your bucket.

  9. Navigate to Organization policies page available at https://console.cloud.google.com/iam-admin/orgpolicies to access the list with the constraint policies available for your GCP organization.

  10. Click inside the Filter by constraint name, ID, or type filter box, select Name, type Enforce Public Access Prevention and press Enter to return the Enforce Public Access Prevention policy.

  11. Click on the name (link) of the constraint policy returned at the previous step, choose EDIT, and perform the following actions:

    1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
    2. Under Enforcement, select On to enforce the storage.publicAccessPrevention constraint policy. This policy enables public access prevention at the organization level.
    3. Choose SAVE to apply the changes and enforce the storage.publicAccessPrevention policy.

  12. Repeat steps no. 5 – 11 for each storage bucket that you want to configure, created within the selected GCP project.

  13. Repeat steps no. 2 – 12 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

  1. Run storage buckets update command (Windows/macOS/Linux) with the name of the Cloud Storage bucket that you want to configure as the identifier parameter, to enforce the Public Access Prevention feature at the bucket level:

    gcloud storage buckets update gs://cc-webdata-bucket
	--public-access-prevention

  2. The command output should return the bucket update status:

    Updating gs://cc-webdata-bucket/...
Completed 1

  3. If your storage bucket is contained within an organization, you can enforce the Public Access Prevention feature by using the storage.publicAccessPrevention constraint policy. Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) with the ID of the Google Cloud Platform (GCP) organization that you want to configure as identifier parameter, to enable the Enforce Public Access Prevention (i.e., storage.publicAccessPrevention) constraint policy for the selected organization:

    gcloud beta resource-manager org-policies enable-enforce constraints/storage.publicAccessPrevention
	--organization=112233441122

  4. The command output should return the configuration information available for the enforced policy:

    booleanPolicy:
	enforced: true
constraint: constraints/storage.publicAccessPrevention
etag: abcdabcdabcd
updateTime: '2024-11-12T15:00:00.000Z'

  5. Repeat steps no. 1 - 4 for each storage bucket that you want to configure, available in the selected GCP project.

  6. Repeat steps no. 1 – 5 for each GCP project created within your Google Cloud account.

References

Publication date Dec 17, 2024

Related CloudStorage rules