Storage bucket uniform access control should be enabled

Description

Cloud Storage bucket permissions should not be configured to allow ‘allUsers’ or ‘allAuthenticatedUsers’ access. These permissions provides broad, public access, which can result in unknown or undesired data access.

Remediation Steps

Google Cloud Console

• Navigate to Storage browser.

• Click on the bucket name to go to the Bucket details page.

• Click PERMISSIONS.

• Click Delete next to any allUsers and allAuthenticatedUsers role assignments.

gcloud CLI

• Remove allUsers access from the bucket:

  • gsutil iam ch -d allUsers gs://BUCKET_NAME

• Remove allAuthenticatedUsers access from the bucket:

  • gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME

Documentation Links

Runtime

• Making data public

• Cloud Storage IAM references

• CLI: gsutil iam