Cloud Storage Anonymous or Publicly Accessible

ID

gcp_cloud_storage_public

Severity

high

Vendor

GCP

Resource

AIM

Tags

reachable

Description

Buckets is a resource of Cloud Storage that allow to hold and organize data.

Setting up anounimous or public access to buckets makes easy to share data with others or use this information to exploit vulnerabilities.

To fix it, you must configure the acl.entity property without allUsers or allAuthenticatedUsers values.

Learn more about this topic at Cloud Storage Access control list (ACLs).

Examples

---
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: storage-module
    project: test_p
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    acl:
      entity: allUsers
      role: WRITER

Mitigation / Fix

---
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: {{ bucket-name }}
    project: {{ project-id }}
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    acl:
      name: {{ bucket-name }}
      entity: project-team-pname
      role: WRITER