Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
GCP Terraform Misconfiguration: Cloud Storage Bucket Uniform Access Disabled
Abstract
A Terraform configuration sets up a Google Storage Bucket that allows the use of Access Control Lists for controlling permissions.
Explanation
Mismanagement of permissions increases the risk of unauthorized access to or modification of restricted data.
To define user permission for access to buckets and objects in buckets, Google Cloud Storage offers two systems: Access Control Lists (ACLs) and Identity and Access Management (IAM). IAM can be used throughout Google Cloud, while only Cloud Storage supports ACLs. Enabling Uniform Bucket-level Access prevents ACLs from granting permission. This ensures IAM is the only system to manage all access control of Google Cloud resources.
Example 1: The following Terraform configuration permits using ACLs alongside IAM to grant access to the storage bucket by setting
To define user permission for access to buckets and objects in buckets, Google Cloud Storage offers two systems: Access Control Lists (ACLs) and Identity and Access Management (IAM). IAM can be used throughout Google Cloud, while only Cloud Storage supports ACLs. Enabling Uniform Bucket-level Access prevents ACLs from granting permission. This ensures IAM is the only system to manage all access control of Google Cloud resources.
Example 1: The following Terraform configuration permits using ACLs alongside IAM to grant access to the storage bucket by setting
uniform_bucket_level_access to false.
resource "google_storage_bucket" "bucket-demo" {
...
uniform_bucket_level_access = false
...
}
References
[1] HashiCorp google_storage_bucket
[2] Google Cloud Uniform bucket-level access
[3] Google Cloud Organization policy constraints for Cloud Storage
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 5.2
[5] Standards Mapping - Common Weakness Enumeration CWE ID 284
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002121
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.4 Access Control Architectural Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002880 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002880 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002880 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002880 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002880 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002880 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_storage_bucket_uniform_access_disabled