Ensures that storage buckets have uniform level access enabled.
Risk Level: Low
Description
This plugin ensures that uniform-level access is enabled on storage buckets. Uniform bucket-level access allows you to uniformly control access to your Cloud Storage resources. When bucket-level access is enabled, IAM permissions are used to grant access to the storage buckets.
About the Service
Google Cloud Storage:
Google Cloud Storage is a service that provides dependable and secure storage classes for any workload, allowing users to select cost-effective storage alternatives based on their requirements. You can effortlessly move data to Cloud storage and benefit from its strong security and scalability features. To know more, read here.
Impact
If uniform level access is not enabled on storage buckets, granting access to Cloud storage resources could get complicated. Unlike IAM, ACLs (Access Control Lists) are solely utilized by Google Cloud Storage and provide very restricted permissions. You can only provide permissions to storage buckets on a per-object basis with ACLs. As a result, you won't be able to use a uniform permission system.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
- Select the storage bucket you want to investigate from the list of buckets displayed and go to the CONFIGURATION tab.
- In the Permission section, check the value of Access control. If it is anything apart from Uniform, then the Uniform access level is not enabled for the selected storage bucket.
- Repeat steps 4 and 5 for all the storage buckets you want to investigate in the selected project.
- If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console.
Steps for Remediation
Determine whether or not you truly require uniform-level access to be disabled. If not, make the necessary changes to enable it using the steps below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
- Select the storage bucket you want to investigate from the list of buckets displayed and go to the CONFIGURATION tab. (In case you aren’t sure which storage bucket needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- In the Permission section, click on the Edit icon next to the value of Access control.
- Select the Uniform option in the Edit access control box and also check the Add project role ACLs to the bucket IAM policy. Then click SAVE to save the changes.
- Repeat steps 4 to 6 for all the clusters you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 7 for each project in your GCP console.