GCP Cloud Storage supports two access-control systems: fine-grained per-object ACLs and IAM. When both are active, legacy object ACLs can silently grant access that bypasses IAM policies, including making individual objects world-readable even when the bucket IAM policy looks locked down.
Per-object ACLs are hard to audit at scale, so a single object can leak sensitive data without any change to the bucket policy, and access reviews
can miss ACL-granted permissions. Uniform bucket-level access disables object ACLs and makes IAM the single source of truth. This rule raises an issue
when a google_storage_bucket resource does not enable uniform bucket-level access.
When uniform bucket-level access is not enforced, object-level ACLs remain active and can grant permissions that bypass the bucket IAM policy. A single misconfigured ACL can expose sensitive data publicly while the bucket IAM policy still appears restrictive. Reviewing access becomes significantly harder, as permissions are scattered across individual objects rather than centralized in IAM.
Set uniform_bucket_level_access to true on the google_storage_bucket resource to disable object ACLs and
rely exclusively on IAM.
resource "google_storage_bucket" "example" { # Noncompliant
name = "example-bucket"
location = "US"
}
resource "google_storage_bucket" "example" {
name = "example-bucket"
location = "US"
uniform_bucket_level_access = true
}