Cloud Storage Bucket should not be anonymously or publicly accessible

문서 > Datadog 보안 > OOTB Rules > Cloud Storage Bucket should not be anonymously or publicly accessible

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

It is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.

Rationale

With anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.

Additional Information

To implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the Edit Permissions button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.

Impact

Storage buckets are not publicly accessible. You have to explicitly administer bucket access.

Prevention

You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains

Default value

By default, Storage buckets are not publicly accessible.

Remediation

From the console

Go to Storage browser at https://console.cloud.google.com/storage/browser.
Click on the bucket name to access the Bucket details page.
Click on the Permissions tab.
Click the Delete button in front of allUsers and allAuthenticatedUsers to remove that particular role assignment.

From the command line

Remove allUsers and allAuthenticatedUsers access.

gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME