Uploaded image for project: 'Planet4'
  1. Planet4
  2. PLANET-3910

Reduce GCS bucket IAM permissions to reduce attack vector

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Must have Must have
    • 2.72.0
    • 12

      Currently deployments use service accounts with project-level `storage.admin` permissions, meaning a compromised Wordpress site has the potential to delete all storage bucket contents across both projects.

      These permissions need to be reduced to per-bucket roles rather than project roles, see https://cloud.google.com/storage/docs/access-control/iam#project-level_roles_vs_bucket-level_roles

      GCS buckets affected:

      • planet4-nro-stateless
      • planet4-nro-db-backup
      • planet4-nro-images-backup

      Tasks:

            Unassigned Unassigned
            rawalker Ray Walker (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: