Google CloudOverview
It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
Rationale
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects: Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels. ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.
In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access. Using this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.
Impact
If you enable uniform bucket-level access, you revoke access from users who gain their access solely through object ACLs. Certain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.
Remediation guidance
From Google Cloud Console
- Open the
Cloud Storagebrowser in the Google Cloud Console by visiting: https://console.cloud.google.com/storage/browser - In the list of buckets, click on the name of the desired bucket.
- Select the
Permissionstab near the top of the page. - In the
Access controlbox, selectSWITCH TO UNIFORM. - In the pop-up dialog, select
UNIFORMand clickSAVE.
Using Google Cloud CLI
Use the on option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://<bucketName>/
Prevention
You can set up an Organization Policy to enforce that any new bucket has uniform bucket level access enabled. Learn more at: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket
Default Value
By default, Cloud Storage buckets do not have uniform bucket-level access enabled.
References
- https://cloud.google.com/storage/docs/uniform-bucket-level-access
- https://cloud.google.com/storage/docs/using-uniform-bucket-level-access
- https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket
Additional information
Uniform bucket-level access can no longer be disabled if it has been active on a bucket for 90 consecutive days.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Cloud Storage buckets have uniform bucket-level access enabled
Connectors
Covered asset types
Expected check: eq []
buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}
