---
title: Cloud storage anonymous or publicly accessible
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Cloud storage anonymous or publicly accessible
---

# Cloud storage anonymous or publicly accessible

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-cloud-storage-anonymous-or-publicly-accessible` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Critical

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html)

### Description{% #description %}

Cloud Storage buckets must not be anonymously or publicly accessible. Setting an ACL entity to `allUsers` or `allAuthenticatedUsers` grants broad read or write access to anyone on the internet or to any authenticated Google account, risking data exposure or unauthorized modification.

For Ansible `gcp_storage_bucket` resources (modules `google.cloud.gcp_storage_bucket` and `gcp_storage_bucket`), ensure neither the `acl.entity` nor the `default_object_acl.entity` property is set to `allUsers` or `allAuthenticatedUsers`. If a bucket does not define `acl`, `default_object_acl` must be explicitly defined and must not contain those public entities. Tasks missing `default_object_acl` or with either entity set to `allUsers`/`allAuthenticatedUsers` are flagged.

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    acl:
      bucket: bucketName
      entity: group-example@googlegroups.com
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: create a bucket1
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    default_object_acl:
      bucket: bucketName1
      entity: allUsers
      role: READER
- name: create a bucket2
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module2
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    acl:
      bucket: bucketName2
      entity: allAuthenticatedUsers
    default_object_acl:
      bucket: bucketName2
      entity: allUsers
      role: READER
- name: create a bucket3
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module3
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
```