Cloud Storage Anonymous or Publicly Accessible

• Query id: 63ae3638-a38c-4ff4-b616-6e1f72a31a6a
• Query name: Cloud Storage Anonymous or Publicly Accessible
• Platform: GoogleDeploymentManager
• Severity: Critical
• Category: Access Control
• CWE: 1188
• URL: Github

Description

Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

resources:
  - name: storage-bucket
    type: storage.v1.bucket
    properties:
      name: my-bucket

Positive test num. 2 - yaml file

resources:
  - name: storage-bucket
    type: storage.v1.bucket
    properties:
      name: my-bucket
      defaultObjectAcl:
        - entity: allAuthenticatedUsers

Positive test num. 3 - yaml file

resources:
  - name: storage-bucket
    type: storage.v1.bucket
    properties:
      name: my-bucket
      acl:
        - entity: allUsers
        - entity: user-liz@example.com
      defaultObjectAcl:
        - entity: allAuthenticatedUsers
        - entity: user-liz@example.com

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

resources:
  - name: storage-bucket
    type: storage.v1.bucket
    properties:
      name: my-bucket
      acl:
        - entity: user-liz@example.com
      defaultObjectAcl:
        - entity: user-liz@example.com