For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible.md. A documentation index is available at /llms.txt.

Cloud storage anonymous or publicly accessible

This product is not supported for your selected Datadog site. ().

Metadata

Id: 086031e1-9d4a-4249-acb3-5bfe4c363db2

Cloud Provider: GCP

Platform: Ansible

Severity: Critical

Category: Access Control

Learn More

Description

Cloud Storage buckets must not be anonymously or publicly accessible. Setting an ACL entity to allUsers or allAuthenticatedUsers grants broad read or write access to anyone on the internet or to any authenticated Google account, risking data exposure or unauthorized modification.

For Ansible gcp_storage_bucket resources (modules google.cloud.gcp_storage_bucket and gcp_storage_bucket), ensure neither the acl.entity nor the default_object_acl.entity property is set to allUsers or allAuthenticatedUsers. If a bucket does not define acl, default_object_acl must be explicitly defined and must not contain those public entities. Tasks missing default_object_acl or with either entity set to allUsers/allAuthenticatedUsers are flagged.

Compliant Code Examples

#this code is a correct code for which the query should not find any result
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    acl:
      bucket: bucketName
      entity: group-example@googlegroups.com

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
- name: create a bucket1
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    default_object_acl:
      bucket: bucketName1
      entity: allUsers
      role: READER
- name: create a bucket2
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module2
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    acl:
      bucket: bucketName2
      entity: allAuthenticatedUsers
    default_object_acl:
      bucket: bucketName2
      entity: allUsers
      role: READER
- name: create a bucket3
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module3
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present