Ensure that uniform bucket-level access is enabled for all your Google Cloud Storage buckets. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket.
Google Cloud Storage provides two systems for granting users permission to access your storage buckets and objects: Identity and Access Management (IAM) and Access Control Lists (ACLs). These systems can function in parallel, and for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. IAM is used throughout Google Cloud Platform (GCP) and allows you to grant a variety of permissions at the project and bucket level (uniform). ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis (fine-grained). Enabling uniform bucket-level access feature disables ACLs for all Cloud Storage resources (buckets and objects) so that the access is granted exclusively through IAM. The feature is also used to unify and simplify how you grant access to your Cloud Storage resources. By default, Google Cloud Storage buckets do not have the uniform bucket-level access feature enabled.
Note: If you enable uniform bucket-level access, you revoke access from users who get their access exclusively through object ACLs. Certain Google Cloud Platform (GCP) services, such as Cloud Audit Logs and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.
To determine the type of access control configured for your Google Cloud Storage buckets, perform the following actions:
Remediation / Resolution
To ensure uniform access to all the objects available within your Google Cloud Storage buckets, enable uniform bucket-level access feature by performing the following actions:Note: If you want to configure access to individual objects, you have 90 days left to switch back to fine-grained access control.
- Google Cloud Platform (GCP) Documentation
- Uniform bucket-level access
- Using uniform bucket-level access
- iam - Get, set, or change bucket and/or object IAM permissions.
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable Uniform Bucket-Level Access for Cloud Storage Buckets
Risk level: Medium