GCP GCS bucket created with fine-grained access control
Description
AlphaSOC detected the creation or modification of a Google Cloud Storage bucket to use fine-grained (ACL-based) access control instead of uniform bucket-level access. Fine-grained access control uses object ACLs which are harder to audit than uniform bucket policies. When ACL-based control is re-enabled, previously applied ACLs are reattached, which may have unpredictable security consequences.
Impact
Fine-grained access control makes it more difficult to maintain consistent security policies across bucket contents. Individual object ACLs may grant overly permissive access that is harder to detect during security audits. Attackers may exploit this to set permissions on specific objects for data exfiltration while evading bucket-level monitoring.
Severity
| Severity | Condition |
|---|---|
Informational | GCS bucket with fine-grained access control enabled |
Investigation and Remediation
Review the bucket configuration change and verify it was intentional. Examine the business justification for using fine-grained instead of uniform access control. Audit existing object ACLs in the bucket for overly permissive settings. Consider migrating to uniform bucket-level access for improved security posture and auditability.
Known False Positives
- Legacy applications that require object-level ACL management
- Migration scenarios where historical ACL settings need to be preserved
- Specific use cases requiring per-object access control