Check for Publicly Accessible Cloud Storage Buckets

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (act today)

Ensure that the IAM policy associated with your Google Cloud Storage buckets is restricting anonymous and/or public access. Cloud Storage buckets, like other GCP resources, have Cloud Identity and Access Management (IAM) policies configured to determine who can have access to the storage resources. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from the storage bucket's IAM policy. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

Security

Misconfigured access permissions is a common security vulnerability that involves Cloud Storage resources. Granting permissions to "allUsers" and "allAuthenticatedUsers" members can allow anyone to access your buckets content. To prevent sensitive data leaks and data loss, ensure that anonymous and/or public access to your Google Cloud Storage buckets is not allowed.


Audit

To determine if there are any publicly accessible buckets available within your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets created for the selected project.

05 Click on the name of the storage bucket that you want to examine.

06 Select the Permissions tab to access the permissions available for selected bucket.

07 Select Members from the View by dropdown list and check the Members column for any IAM members with the allUsers or allAuthenticatedUsers identifier. If the list contains one or more allUsers/allAuthenticatedUsers members, the selected Google Cloud Storage bucket is publicly accessible.

08 Repeat step no. 5 – 7 for each storage bucket available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-project5-123123
cc-web-project-112233
cc-mobile-project-111222

03 Run gsutil ls command (using gsutil Python tool) to list the identifier (name) of each storage bucket created for the specified GCP project:

gsutil ls -p cc-project5-123123

04 The command output should return the requested resource identifier(s):

gs://cc-webdata-bucket/
gs://cc-project5-123123.appspot.com/

05 Run gsutil iam ch command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as identifier parameter and custom query filters to describe name of the IAM member(s) associated with the selected bucket:

gsutil iam get gs://cc-webdata-bucket/
	--format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated member(s):

"projectOwner:cc-project5-123123"
"allAuthenticatedUsers"
"allUsers"

If the list of IAM member names returned by the gsutil iam ch command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Google Cloud Storage bucket is publicly accessible, therefore it can be accessed by anyone on the Internet.

07 Repeat step no. 5 and 6 for each storage bucket created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To remove "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated IAM policy in order to restrict anonymous and/or public access to your Google Cloud Storage buckets, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets provisioned for the selected project.

05 Click on the name of the publicly accessible storage bucket that you want to reconfigure.

06 Select the Permissions tab to access the permissions available for selected bucket.

07 Choose Members from the View by dropdown to display all IAM members that have access to the selected resource.

08 Select all the allUsers and allAuthenticatedUsers members available, then click on the Remove button to initiate the removal action for the selected IAM member bindings.

09 On the Remove member(s)? confirmation box, click REMOVE to confirm the action and delete the allUsers and allAuthenticatedUsers members.

10 Repeat step no. 5 – 9 for each storage bucket created within the selected project.

11 Repeat steps no. 2 – 10 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run gsutil iam ch -d command (using gsutil Python tool) using the name of the publicly accessible Cloud Storage bucket that you want to reconfigure as identifier parameter, to remove the allUsers member binding from the IAM policy associated with the selected bucket (the command request does not produce an output):

gsutil iam ch -d allUsers gs://cc-webdata-bucket/

02 Run gsutil iam ch -d command (using gsutil tool) using the name of the publicly accessible storage bucket that you want to reconfigure as identifier parameter, to remove the allAuthenticatedUsers member binding from the IAM policy associated with the selected bucket (the command does not return an output):

gsutil iam ch -d allAuthenticatedUsers gs://cc-webdata-bucket/

03 Repeat step no. 1 and 2 for each anonymously or publicly accessible bucket available in the selected project.

04 Repeat steps no. 1 – 3 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Publicly Accessible Cloud Storage Buckets

Risk level: High