Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
Cloud Storage – Restrict Public Access
This check ensures that public access to storage buckets is disabled to protect data from unauthorized exposure. Restricting public access helps prevent unauthorized data exposure and accidental data leaks.
Check Details
- Resource: Storage
- Check: Prevent Public Access to Storage Bucket.
- Risk: Publicly accessible buckets may expose sensitive or confidential data to unauthorized users, leading to data breaches and compliance violations.
Remediation via Google Cloud Console
-
Log in to the Google Cloud Console and navigate to
Buckets.
- Click on the affected bucket name to open the bucket details page.
-
Navigate to the Permissions tab and prevent public access.
-
Identify any role bindings assigned to
allUsersorallAuthenticatedUsers. -
Click Delete next to each
allUsersorallAuthenticatedUsersentry to remove public access.
Remediation via Google Cloud CLI
-
Open the Google Cloud Console and launch
Cloud Shell.
-
Remove anonymous public access from the bucket:
gsutil iam ch -d allUsers gs://<BUCKET_NAME> -
Remove authenticated public access from the bucket:
gsutil iam ch -d allAuthenticatedUsers gs://<BUCKET_NAME>
Replace <BUCKET_NAME> with the name of the affected Cloud
Storage bucket.
Prevention
You can prevent Cloud Storage buckets from becoming publicly accessible by enforcing the Domain Restricted Sharing organization policy.
Configure the policy from:
IAM & Admin → Organization Policies → Domain restricted sharing
Default Value
By default, Google Cloud Storage buckets are not publicly accessible and do not allow anonymous access unless explicitly configured.