GCS Public Buckets

Description

Google Cloud Storage (GCS) buckets become public when IAM bindings grant allUsers or allAuthenticatedUsers roles (e.g., roles/storage.objectViewer) or when legacy object ACLs remain after enabling uniform bucket-level access (UBLA). Missing Public Access Prevention, permissive retention/hold settings, and overly broad signed URLs further increase exposure and persistence risk.

Examples

Inspect IAM Policy

gsutil iam get gs://<bucket>
gsutil ls -L -b gs://<bucket> | sed -n '1,120p'   # shows UBLA, PAP, retention
gsutil ubla get gs://<bucket>
gcloud storage buckets describe gs://<bucket> \
  --format='value(iamConfiguration.publicAccessPrevention,iamConfiguration.uniformBucketLevelAccess.enabled)'

Look for members allUsers or allAuthenticatedUsers.

Test Anonymous Access

curl -I https://storage.googleapis.com/<bucket>/<object>
curl -I https://storage.cloud.google.com/<bucket>/<object>

200/302 responses without auth indicate public access.

Remediation

1. Remove public access and legacy ACLs
   • gsutil iam ch -d allUsers:objectViewer gs://<bucket> (and allAuthenticatedUsers if present).
   • Enable UBLA and Object Ownership: gsutil ubla set on gs://<bucket>.
2. Enforce Public Access Prevention (PAP)
   • gcloud storage buckets update gs://<bucket> --public-access-prevention=enforced (or at org/folder).
3. Least-privilege sharing
   • Use per‑principal IAM; prefer short‑lived signed URLs with IP/expiry constraints for limited access.
4. Governance and monitoring
   • Set retention policies/legal holds appropriately; create SCC/Cloud Asset/Access Approval alerts for public exposures.