Skip to main content

More Info:

Ensure that cloud Storage buckets have uniform bucket-level access enabled

Risk Level

Low

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the “Buckets Should Have Uniform Access” misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP console and navigate to the Cloud Storage section.
  2. Select the bucket that you want to remediate.
  3. Click on the “Edit bucket permissions” button.
  4. Under the “Bucket Policy Only” section, select “Uniform” access.
  5. Click on the “Save” button to apply the changes.
After completing these steps, your GCP bucket will have uniform access. This means that all requests to the bucket will be evaluated against the same set of permissions, regardless of the request source. This helps to ensure that your bucket is secure and that access is granted only to authorized users.

To remediate the “Buckets Should Have Uniform Access” misconfiguration for GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and go to the Cloud Shell.
  2. Run the following command to list all the buckets in your project: 
    gsutil ls
  3. Identify the bucket that has non-uniform access.
  4. Run the following command to enable uniform access for the identified bucket: 
    gsutil uniformbucketlevelaccess set on gs://[BUCKET_NAME]
    Replace [BUCKET_NAME] with the name of the identified bucket.
  5. Verify that uniform access has been enabled for the bucket by running the following command: 
    gsutil bucketpolicyonly get gs://[BUCKET_NAME]
    Replace [BUCKET_NAME] with the name of the identified bucket. The output should show that uniform access is enabled for the bucket.
  6. Repeat the above steps for any other buckets that have non-uniform access.
By following these steps, you will be able to remediate the “Buckets Should Have Uniform Access” misconfiguration for GCP using GCP CLI.
To remediate the “Buckets Should Have Uniform Access” misconfiguration in GCP using Python, you can follow these steps:
  1. Install the Google Cloud Storage library for Python using pip: 
    pip install google-cloud-storage
  2. Authenticate with your GCP account and project by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your service account key file: 
    export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_key.json
  3. Use the google-cloud-storage library to get a list of all the buckets in your project: 
    from google.cloud import storage

client = storage.Client()
buckets = client.list_buckets()
  4. For each bucket, check if Uniform Bucket-Level Access is enabled by calling the get_iam_policy method and checking if the uniformBucketLevelAccess key is present in the returned policy: 
    for bucket in buckets:
    policy = bucket.get_iam_policy(requested_policy_version=3)
    if 'uniformBucketLevelAccess' not in policy:
        # Uniform Bucket-Level Access is not enabled
        # Remediate by enabling Uniform Bucket-Level Access
        bucket.iam_configuration.uniform_bucket_level_access_enabled = True
        bucket.patch()
  5. After enabling Uniform Bucket-Level Access for all buckets, verify that the misconfiguration has been remediated by checking the IAM policy for each bucket again: 
    for bucket in buckets:
    policy = bucket.get_iam_policy(requested_policy_version=3)
    if 'uniformBucketLevelAccess' not in policy:
        # Remediation failed
        # Raise an exception or log an error message
By following these steps, you can use Python to remediate the “Buckets Should Have Uniform Access” misconfiguration in GCP.
I