GCP Cloud Storage supports two access-control systems: fine-grained per-object ACLs and IAM. When both are active, legacy object ACLs can silently grant access that bypasses IAM policies, including making individual objects world-readable even when the bucket IAM policy looks locked down.

Why is this an issue?

Per-object ACLs are hard to audit at scale, so a single object can leak sensitive data without any change to the bucket policy, and access reviews can miss ACL-granted permissions. Uniform bucket-level access disables object ACLs and makes IAM the single source of truth. This rule raises an issue when a google_storage_bucket resource does not enable uniform bucket-level access.

What is the potential impact?

When uniform bucket-level access is not enforced, object-level ACLs remain active and can grant permissions that bypass the bucket IAM policy. A single misconfigured ACL can expose sensitive data publicly while the bucket IAM policy still appears restrictive. Reviewing access becomes significantly harder, as permissions are scattered across individual objects rather than centralized in IAM.

How to fix it

Set uniform_bucket_level_access to true on the google_storage_bucket resource to disable object ACLs and rely exclusively on IAM.

Code examples

Noncompliant code example

resource "google_storage_bucket" "example" { # Noncompliant
  name     = "example-bucket"
  location = "US"
}

Compliant solution

resource "google_storage_bucket" "example" {
  name                        = "example-bucket"
  location                    = "US"
  uniform_bucket_level_access = true
}

Resources

Documentation

Standards