Cloud Storage Anonymous or Publicly Accessible
- Query id: 63ae3638-a38c-4ff4-b616-6e1f72a31a6a
- Query name: Cloud Storage Anonymous or Publicly Accessible
- Platform: GoogleDeploymentManager
- Severity: Critical
- Category: Access Control
- CWE: 1188
- URL: Github
Description¶
Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
resources:
- name: storage-bucket
type: storage.v1.bucket
properties:
name: my-bucket
Positive test num. 2 - yaml file
resources:
- name: storage-bucket
type: storage.v1.bucket
properties:
name: my-bucket
defaultObjectAcl:
- entity: allAuthenticatedUsers
Positive test num. 3 - yaml file
resources:
- name: storage-bucket
type: storage.v1.bucket
properties:
name: my-bucket
acl:
- entity: allUsers
- entity: user-liz@example.com
defaultObjectAcl:
- entity: allAuthenticatedUsers
- entity: user-liz@example.com