Cyscale
Back to controls

Ensure Cloud Storage buckets have uniform bucket-level access enabled

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.

Rationale

It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.

Cloud Storage offers two systems for granting users permission to access your buckets and objects: Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels. ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access. Using this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.

Impact

If you enable uniform bucket-level access, you revoke access from users who gain their access solely through object ACLs. Certain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.

Remediation guidance

From Google Cloud Console

  1. Open the Cloud Storage browser in the Google Cloud Console by visiting: https://console.cloud.google.com/storage/browser
  2. In the list of buckets, click on the name of the desired bucket.
  3. Select the Permissions tab near the top of the page.
  4. In the Access control box, select SWITCH TO UNIFORM.
  5. In the pop-up dialog, select UNIFORM and click SAVE.

Using Google Cloud CLI

Use the on option in a uniformbucketlevelaccess set command:

gsutil uniformbucketlevelaccess set on gs://<bucketName>/

Prevention

You can set up an Organization Policy to enforce that any new bucket has uniform bucket level access enabled. Learn more at: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket

Default Value

By default, Cloud Storage buckets do not have uniform bucket-level access enabled.

References

  1. https://cloud.google.com/storage/docs/uniform-bucket-level-access
  2. https://cloud.google.com/storage/docs/using-uniform-bucket-level-access
  3. https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket

Additional information

Uniform bucket-level access can no longer be disabled if it has been active on a bucket for 90 consecutive days.

Multiple Remediation Paths

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

  • GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
  • GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
  • gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Cloud Storage buckets have uniform bucket-level access enabled

Connectors

Google Cloud

Covered asset types

Bucket

Expected check: eq []

buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon