Skip to content

GCP storage buckets are publicly accessible to all authenticated users

Description

Allowing anonymous or public access to a Cloud Storage bucket grants permissions to anyone to access the bucket's content. If you are storing sensitive data in the bucket anonymous and public access may not be desired.

We recommend you ensure anonymous and public access to a bucket is not allowed.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Storage.
  3. Navigate to Bucket details page, select bucket name.
  4. Click Permissions tab.
  5. To remove a specific role assignment, to the front of allUsers and allAuthenticatedUsers, click Delete.

CLI Command

To remove access to allUsers and allAuthenticatedUsers, use the following commands:
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

Fix - Buildtime

Terraform

  • Resource: google_storage_bucket_iam_member

  • Argument: member

  • Resource: google_storage_bucket_iam_binding

  • Field: members

//Option 1
resource "google_storage_bucket_iam_member" "member" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
-  member = "allUsers"
-  member = "allAuthenticatedUsers"
}

//Option 2
resource "google_storage_bucket_iam_binding" "binding" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  members = [
-    "allAuthenticatedUsers",
-    "allUsers"
  ]
}