GCS bucket granted public IAM access
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Granting a Cloud Storage role to allUsers or allAuthenticatedUsers makes the bucket contents readable (or writable) by anyone on the internet.
Why it matters
Granting a Cloud Storage IAM role to allUsers or allAuthenticatedUsers makes the bucket contents accessible to anyone on the internet, or to any Google account, depending on the member. This is the GCS equivalent of a public S3 bucket and a common source of data leaks. Objects added later inherit the same public access.
How to fix it
Remove the allUsers or allAuthenticatedUsers member and grant access to specific principals (service accounts, groups, or users) instead. Enable public access prevention on the bucket so a public grant cannot be added by mistake. If the bucket must serve public content, front it with a load balancer or CDN rather than a public IAM grant.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo