gcp-gcs-anon-or-public¶
Ensure that Cloud Storage bucket is not anonymously or publicly accessible
When setting access to a Cloud Storage Bukcket you can access controls using various resources (ex. google_storage_bucket_iam_member
or google_storage_bucket_iam_binding
) and you should only grant access to authorized users. In the context of the member
(or members
) attribute you can set allUsers
(grants anonymous access to anyone on the Internet) or allAuthenticatedUsers
(grants access to anyone authenticated with any Google account). Those special groups should be avoided and you should always prefer to create your own groups, specific users by e-mail or at least restrict to your organization.
There might be valid reason to use allUsers
when the objects stored in the bucket are meant to be visible by visitors to a website when they are simply serving static resources. In that case, you may want to use a # noboost
tag.
Examples¶
Insecure Example
resource "google_storage_bucket_iam_member" "member1" {
bucket = google_storage_bucket.default.name
role = "roles/storage.objectViewer"
member = "allUsers"
}
resource "google_storage_bucket_iam_member" "member2" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
member = "allAuthenticatedUsers"
}
Secure Example
resource "google_storage_bucket_iam_member" "member1" {
bucket = google_storage_bucket.default.name
role = "roles/storage.objectViewer"
member = "user:jane@example.com"
}
resource "google_storage_bucket_iam_member" "member2" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
member = "user:john@example.com"
}