Cloud Storage Anonymous or Publicly Accessible

  • Query id: 086031e1-9d4a-4249-acb3-5bfe4c363db2
  • Query name: Cloud Storage Anonymous or Publicly Accessible
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a bucket1
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    default_object_acl:
      bucket: bucketName1
      entity: allUsers
      role: READER
- name: create a bucket2
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module2
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    acl:
      bucket: bucketName2
      entity: allAuthenticatedUsers
    default_object_acl:
      bucket: bucketName2
      entity: allUsers
      role: READER
- name: create a bucket3
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module3
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    acl:
      bucket: bucketName
      entity: group-example@googlegroups.com