Ensure GCP cloud storage bucket with uniform bucket-level access are enabled

Error: GCP cloud storage bucket with uniform bucket-level access are disabled

Bridgecrew Policy ID: BC_GCP_GCS_2
Checkov Check ID: CKV_GCP_29
Severity: MEDIUM

GCP cloud storage bucket with uniform bucket-level access are disabled

Description

For a user to access a Cloud Storage resource only one of the systems needs to grant the user permission. Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at bucket and project levels. ACLs have limited permission options, are used only by Cloud Storage, and allow you to grant permissions on a per-object basis.

Cloud Storage has uniform bucket-level access that supports a uniform permissioning system. Using this feature disables ACLs for all Cloud Storage resources. Access to Cloud Storage resources is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible.

We recommend you enable uniform bucket-level access on Cloud Storage buckets. Uniform bucket-level access is used to unify and simplify how you grant access to your Cloud Storage resources. Cloud Storage offers two systems that act in parallel for granting users permission to access your buckets and objects:

  • Cloud Identity and Access Management (Cloud IAM)
  • Access Control Lists (ACLs).

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Cloud Storage.
  3. From the list of buckets, select the name of the desired bucket.
  4. Near the top of the page, click the Permissions tab.
  5. In the text box that begins This bucket uses fine-grained access control, click Edit.
  6. A pop-up menu opens. Select Uniform.
  7. Click Save.

CLI Command

Set the option to on for uniformbucketlevelaccess, using the following command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/

Fix - Buildtime

Terraform

  • Resource: google_storage_bucket
  • Argument: uniform_bucket_level_access is set to true,
resource "google_storage_bucket" "examplea" {
    name     = "terragoat-${var.environment}"
    bucket_policy_only = true
 +   uniform_bucket_level_access = true
}