gcloud-bucket-policies-admin-permissions: Check Bucket Policies with Administrative Permissions

日期: 2025-08-01 | 影响软件: gcloud bucket policies admin permissions | POC: 已公开

漏洞描述

Ensure that the IAM policy associated with your Google Cloud Storage buckets does not grant privileged, administrative permissions. This promotes the Principle of Least Privilege (POLP) by providing principals only the minimal access required to perform their tasks.

PoC代码[已公开]

id: gcloud-bucket-policies-admin-permissions

info:
  name: Check Bucket Policies with Administrative Permissions
  author: princechaddha
  severity: high
  description: |
    Ensure that the IAM policy associated with your Google Cloud Storage buckets does not grant privileged, administrative permissions. This promotes the Principle of Least Privilege (POLP) by providing principals only the minimal access required to perform their tasks.
  impact: |
    Administrative permissions on Cloud Storage buckets can lead to unauthorized changes, data exposure, or potential misuse, violating security best practices.
  remediation: |
    Review and update IAM policies for your Google Cloud Storage buckets to remove roles such as roles/owner, roles/editor, or any roles containing "Admin" to adhere to the Principle of Least Privilege.
  reference:
    - https://cloud.google.com/storage/docs/access-control/iam
  tags: cloud,devops,gcp,gcloud,google-cloud-storage,iam,security,polp,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let bucketName of iterate(template.buckets)){
      set("bucketName", bucketName)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud storage buckets list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: buckets
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud storage buckets get-iam-policy gs://$bucketName --format="json(bindings)" | jq -r '.bindings[]?.role // "null"'

    matchers:
      - type: word
        words:
          - 'roles/owner'
          - 'roles/editor'
          - 'roles/storage.admin'
          - 'roles/admin'
        condition: or

    extractors:
      - type: dsl
        dsl:
          - '"The bucket " + bucketName + " in project " + projectId + " has IAM policies with administrative permissions (e.g., roles/owner, roles/editor, roles/*admin)."'
# digest: 4a0a00473045022056940cd41ec2ede37457c1fedaa9d6680f45aff47a621b268752a1a0baec5c9e022100c4224c9a83ba13b2d8a9179d710a23482d982c8c4c295c6e785e4da4fbb0f1b9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/storage/gcloud-bucket-policies-admin-permissions.yaml