Ensure that Cloud Storage bucket is not anonymously or publicly accessible.

Explanation

Using ‘allUsers’ or ‘allAuthenticatedUsers’ as members in an IAM member/binding causes data to be exposed outside of the organisation.

Possible Impact

Public exposure of sensitive data.

Suggested Resolution

Restrict public access to the bucket.

Insecure Example

The following example will fail the google-storage-no-public-access check.

resource "google_storage_bucket_iam_binding" "binding" {
	bucket = google_storage_bucket.default.name
	role = "roles/storage.admin"
	members = [
		"allAuthenticatedUsers",
	]
}
			

Secure Example

The following example will pass the google-storage-no-public-access check.

resource "google_storage_bucket_iam_binding" "binding" {
	bucket = google_storage_bucket.default.name
	role = "roles/storage.admin"
	members = [
		"user:jane@example.com",
	]
}
			

Getting Started
Provider Checks
Config
GitHub Actions