5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

Information

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.

Rationale:

Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.

Impact:

No storage buckets would be publicly accessible. You would have to explicitly administer bucket access.

Solution

From Google Cloud Console

Go to Storage browser by visiting https://console.cloud.google.com/storage/browser.

Click on the bucket name to go to its Bucket details page.

Click on the Permissions tab.

Click Delete button in front of allUsers and allAuthenticatedUsers to remove that particular role assignment.

From Google Cloud CLI
Remove allUsers and allAuthenticatedUsers access.

gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

Prevention:
You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains .

Default Value:

By Default, Storage buckets are not publicly shared.

See Also

https://workbench.cisecurity.org/benchmarks/9562

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|12.4

Plugin: GCP

Control ID: afb8cb71baf00b6d86aff6a1db5a079ad05605fd49fcc6288dbc825bd5ea1890