Cloud Storage bucket is not publicly accessible
cloudstorage_bucket_public_access
Cloud Storage buckets are assessed for anonymous or public access by detecting permissions granted to broad principals like allUsers or allAuthenticatedUsers that make bucket data reachable without authentication.
Risk
Public buckets undermine confidentiality and integrity. Anyone can list or download objects; if write access exists, content can be overwritten or deleted. Abuse enables hotlinking and malware hosting, impacting availability and driving unexpected egress costs.
prowler gcp --checks cloudstorage_bucket_public_access
Recommendation
Adopt least privilege: remove allUsers/allAuthenticatedUsers and grant only required identities. Enforce Public Access Prevention and use uniform bucket-level access. If external sharing is needed, issue signed URLs or use an authenticated proxy/CDN, and review permissions regularly.
Remediation
gcloud storage buckets update gs://<example_resource_name> --public-access-prevention enforced
- In Google Cloud Console, go to Storage > Buckets and open <example_resource_name>
- Click the Permissions tab
- Set Public access prevention to Enforced
- Click Save
Source Code
Resource Type
storage.googleapis.com/Bucket
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/publicly-accessible-storage-buckets.html
- https://docs.cloud.google.com/storage/docs/public-access-prevention
- https://docs.cloud.google.com/storage/docs/access-control/iam
- https://docs.cloud.google.com/storage/docs/access-control/iam-reference
- https://docs.cloud.google.com/storage/docs/using-uniform-bucket-level-access