Enforce Uniform Bucket-Level Access at Organization Level
More Info:
Ensure that “Enforce uniform bucket-level access” policy is enabled for your Google Cloud Platform (GCP) organization in order to enforce uniform bucket-level access for all Google Cloud Storage buckets available in your organization.
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
CISGCP, CBP, HIPAA, ISO27001
Remediation
Using Console
To remediate the misconfiguration of not enforcing uniform bucket-level access at the organization level in GCP, you can follow these steps:
- Open the Google Cloud Console and navigate to the Cloud Storage page.
- Select the bucket for which you want to enforce uniform bucket-level access.
- Click on the “Edit Bucket Permissions” button.
- Under the “Uniform bucket-level access” section, select the “Enforced” option.
- Click on the “Save” button to apply the changes.
Once you have enforced uniform bucket-level access at the organization level, all objects in the bucket will inherit the bucket’s access control settings. This will help prevent accidental data leaks or unauthorized access to your data.
Using CLI
To remediate the misconfiguration “Enforce Uniform Bucket-Level Access at Organization Level” for GCP using GCP CLI, follow the below steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to set the organization policy constraint for enforcing uniform bucket-level access:
gcloud resource-manager org-policies set-policy constraint/compute.requireUniformBucketLevelAccess \ --project=[PROJECT_ID] \ --policy-file=- <<EOF { "booleanPolicy": { "enforced": true } } EOFNote: Replace [PROJECT_ID] with the ID of the project in which the policy constraint should be set.
-
Verify that the policy constraint has been set by running the following command:
gcloud resource-manager org-policies describe compute.requireUniformBucketLevelAccess \ --project=[PROJECT_ID]Note: Replace [PROJECT_ID] with the ID of the project in which the policy constraint should be set.
-
Repeat the above steps for all the projects in the GCP organization to ensure that uniform bucket-level access is enforced across all the projects.
By following the above steps, you can remediate the misconfiguration “Enforce Uniform Bucket-Level Access at Organization Level” for GCP using GCP CLI.
Using Python
To remediate the “Enforce Uniform Bucket-Level Access at Organization Level” misconfiguration in GCP, you can use the following steps in Python:
- Import the necessary libraries:
from google.cloud import storage
from google.oauth2 import service_account
- Set up the credentials for your GCP account:
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
- Initialize the storage client:
storage_client = storage.Client(project='<your_project_id>', credentials=credentials)
- Get the list of all buckets in the project:
buckets = list(storage_client.list_buckets())
- For each bucket, check if Uniform Bucket-Level Access is enabled:
for bucket in buckets:
bucket_name = bucket.name
bucket_obj = storage_client.bucket(bucket_name)
bucket_policy = bucket_obj.get_iam_policy(requested_policy_version=3)
if bucket_policy.uniform_bucket_level_access_enabled:
print(f"Uniform Bucket-Level Access is already enabled for bucket {bucket_name}")
else:
print(f"Enabling Uniform Bucket-Level Access for bucket {bucket_name}")
bucket_policy.uniform_bucket_level_access_enabled = True
bucket_obj.set_iam_policy(bucket_policy)
- Run the above script to enable Uniform Bucket-Level Access for all the buckets in the project.
Note: Make sure you have the necessary permissions to modify the IAM policies for the buckets.