Cloud Storage Anonymous or Publicly Accessible
- Query id: 086031e1-9d4a-4249-acb3-5bfe4c363db2
- Query name: Cloud Storage Anonymous or Publicly Accessible
- Platform: Ansible
- Severity: Critical
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a bucket1
google.cloud.gcp_storage_bucket:
name: ansible-storage-module1
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
default_object_acl:
bucket: bucketName1
entity: allUsers
role: READER
- name: create a bucket2
google.cloud.gcp_storage_bucket:
name: ansible-storage-module2
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
acl:
bucket: bucketName2
entity: allAuthenticatedUsers
default_object_acl:
bucket: bucketName2
entity: allUsers
role: READER
- name: create a bucket3
google.cloud.gcp_storage_bucket:
name: ansible-storage-module3
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a bucket
google.cloud.gcp_storage_bucket:
name: ansible-storage-module
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
acl:
bucket: bucketName
entity: group-example@googlegroups.com