Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Overview
Buckets should almost never be publicly accessible (excepting when using them to host public static websites). Although there is nothing inherently insecure about buckets, access control misconfigurations and a lack of understanding about how buckets security works can turn buckets into a vector for attack and data exfiltration. To avoid this, Cyscale looks for publicly accessible buckets.
Remediation guidance
AWS
From the Console
Perform the following actions to block all public access for a bucket:
- Open the security settings using the "Open in AWS" menu option
- Select the tab
Permissions - Under
Block public access (bucket settings), selectEdit - Check the
Block all public accesscheckbox - Click
Save changes
From the AWS CLI
aws s3api put-public-access-block --bucket <bucketName> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Default Value
By default, new buckets, access points, and objects do not allow public access.
References
Azure
From Azure Console
First, follow the Microsoft documentation and create shared access signature tokens for your blob containers. Then, follow these steps:
To change the access level for containers
- Go to
Storage Accounts - For each storage account, go to
ContainersunderData storage - For each container, click
Change access level - Select for
Public access levelthePrivate (no anonymous access)option
To change the access level for blobs
- Go to
Storage Accounts - For each storage account, under
Settings, go toConfiguration - Set
DisabledforAllow Blob public accessif no anonymous access is needed on the storage account
Using Azure Command Line Interface
Set the permission for public access to private(off) for the container
az storage container set-permission --name <containerName> --public-access off --account-name <accountName> --account-key <accountKey>
Disallow public blob access for the storage account.
az storage account update --name <storageAccount> --resource-group <resourceGroup> --allow-blob-public-access false
Default Value
By default, Public access level is set to Private (no anonymous access) for blob containers. By default, AllowBlobPublicAccess is set to Null (allow in effect) for storage account.
References
- https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources
- https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
- https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
- https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic
Google Cloud
From Google Cloud Console
- Go to Storage browser by visiting https://console.cloud.google.com/storage/browser
- Click on a bucket name to go to its
Bucket detailspage - Click on the
PERMISSIONStab - For principals
allUsersandallAuthenticatedUsers, click on theEdit principalpencil button to modify the permissions - Click the
Deletebutton on the right to remove that particular role assignment - Select
SAVE
CLI
Remove allUsers and allAuthenticatedUsers access.
gsutil iam ch -d allUsers gs://<bucketName>
gsutil iam ch -d allAuthenticatedUsers gs://<bucketName>
Prevention
You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iamallowedPolicyMemberDomains
Default Value
By default, Storage buckets are not publicly shared.
References
- https://cloud.google.com/storage/docs/access-control/iam-reference
- https://cloud.google.com/storage/docs/access-control/making-data-public
- https://cloud.google.com/storage/docs/gsutil/commands/iam
Addititonal information
To implement Access restrictions on buckets, configuring Bucket IAM is preferred more than configuring Bucket ACL. On GCP console, "Edit Permissions" for bucket exposes the IAM configurations only. Bucket ACLs are configured automatically as per need in order to implement/support User enforced Bucket IAM policy. In the case that the administrator changes a bucket ACL using command-line(gsutils)/API, the bucket IAM also gets updated automatically.
Alibaba Cloud
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
