gcloud-uniform-bucket-level-access-not-enabled: Enable Uniform Bucket-Level Access for Cloud Storage Buckets

id: gcloud-uniform-bucket-level-access-not-enabled

info:
  name: Enable Uniform Bucket-Level Access for Cloud Storage Buckets
  author: princechaddha
  severity: medium
  description: |
    Ensure that uniform bucket-level access is enabled for all your Google Cloud Storage buckets. This ensures that object access is controlled entirely through bucket-level IAM permissions, providing a consistent and secure way to manage access to bucket data.
  impact: |
    Without uniform bucket-level access, managing object-level permissions can lead to inconsistent and insecure access control configurations.
  remediation: |
    Enable uniform bucket-level access for your Google Cloud Storage buckets to manage permissions uniformly and improve security.
  reference:
    - https://cloud.google.com/storage/docs/uniform-bucket-level-access
  tags: cloud,devops,gcp,gcloud,google-cloud-storage,security,access-control,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let bucketName of iterate(template.buckets)){
      set("bucketName", bucketName)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gsutil ls -p $projectId | jq -R . | jq -s .

    extractors:
      - type: json
        name: buckets
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gsutil uniformbucketlevelaccess get $bucketName

    matchers:
      - type: word
        words:
          - 'Enabled: False'

    extractors:
      - type: dsl
        dsl:
          - '"Uniform bucket-level access is not enabled for the bucket " + bucketName + " in project " + projectId'
# digest: 4b0a00483046022100845f2d4f9de7940afaef8f698902d248f08564b4b022415ee008cbfb9826018d022100ccf10d8da665628c3b477b8d3279d590cde4f2dc0dcb6155c5c629ace7bdb05f:922c64590222798bb761d5b6d8e72950