Cloud Storage Bucket Is Publicly Accessible

  • Query id: c010082c-76e0-4b91-91d9-6e8439e455dd
  • Query name: Cloud Storage Bucket Is Publicly Accessible
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • CWE: 285
  • URL: Github

Description

Cloud Storage Bucket is anonymously or publicly accessible
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_storage_bucket_iam_member" "positive1" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  member = "allUsers"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}


resource "google_storage_bucket_iam_member" "positive2" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  members = ["user:john@example.com","allAuthenticatedUsers"]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_storage_bucket_iam_member" "negative1" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  member = "user:jane@example.com"
}


resource "google_storage_bucket_iam_member" "negative2" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  members = ["user:john@example.com","user:john@example.com"]
}