Cloud Storage Anonymous or Publicly Accessible
- Query id: a6cd52a1-3056-4910-96a5-894de9f3f3b3
- Query name: Cloud Storage Anonymous or Publicly Accessible
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "google_storage_bucket_iam_binding" "positive1" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = []
}
resource "google_storage_bucket_iam_binding" "positive2" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = ["user:jane@example.com","allUsers"]
}
resource "google_storage_bucket_iam_binding" "positive3" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = ["user:jane@example.com", "allAuthenticatedUsers"]
}