Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
Default Severity: high
Explanation
Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation.
Possible Impact
Public exposure of sensitive data.
Suggested Resolution
Restrict public access to the bucket.
Insecure Example
The following example will fail the google-storage-no-public-access check.
resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = [
"allAuthenticatedUsers",
]
}
Secure Example
The following example will pass the google-storage-no-public-access check.
resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = [
"user:jane@example.com",
]
}