Cloud Storage Bucket Is Publicly Accessible
- Query id: c010082c-76e0-4b91-91d9-6e8439e455dd
- Query name: Cloud Storage Bucket Is Publicly Accessible
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Cloud Storage Bucket is anonymously or publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_storage_bucket_iam_member" "positive1" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
member = "allUsers"
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
resource "google_storage_bucket_iam_member" "positive2" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = ["user:john@example.com","allAuthenticatedUsers"]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_storage_bucket_iam_member" "negative1" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
member = "user:jane@example.com"
}
resource "google_storage_bucket_iam_member" "negative2" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = ["user:john@example.com","user:john@example.com"]
}