IAM policies and ACLs require active management to be effective. Before you make a bucket or object accessible to other users, be sure you know who you want to share the bucket or object with and what roles you want each of those people to have. Over time, changes in project management, usage patterns, and organizational ownership may require you to modify IAM or ACL settings on buckets and projects, especially if you manage Cloud Storage in a large organization or for a large group of users. As you evaluate and plan your access control settings, keep the following best practices in mind:
Use the principle of least privilege when granting access to your buckets or objects.
The principle of least privilege is a security guideline for granting access to your resources. When you grant access based on the principle of least privilege, you grant the minimum permission that's necessary for a user to accomplish their assigned task. For example, if you want to share files with someone, you should grant them the
storage.objectViewerIAM role or the
READERACLs permission, and not the
storage.adminIAM role or the
Avoid granting IAM roles with
setIamPolicypermission or granting the ACL
OWNERpermission to people you do not know.
setIamPolicyIAM permission or the
OWNERACLs permission allows a user to change permissions and take control of data. You should use roles with these permissions only when you want to delegate administrative control over objects and buckets.
Be careful how you grant permissions for anonymous users.
allAuthenticatedUsersprincipal types should only be used when it is acceptable for anyone on the Internet to read and analyze your data. While these scopes are useful for some applications and scenarios, it is usually not a good idea to grant all users certain permissions, such as the IAM permissions
delete, or the ACLs
Be sure you delegate administrative control of your buckets.
You should be sure that your resources can still be managed by other team members should an individual with administrative access leave the group.
To prevent resources from becoming inaccessible, you can do any of the following:
Grant the Storage Admin IAM role for your project to a group instead of an individual
Grant the Storage Admin IAM role for your project to at least two individuals
OWNERACLs permission for your bucket to at least two individuals
Be aware of Cloud Storage's interoperable behavior.
When using the XML API for interoperable access with other storage services, such as Amazon S3, the signature identifier determines the ACL syntax. For example, if the tool or library you are using makes a request to Cloud Storage to retrieve ACLs and the request uses another storage provider's signature identifier, then Cloud Storage returns an XML document that uses the corresponding storage provider's ACL syntax. If the tool or library you are using makes a request to Cloud Storage to apply ACLs and the request uses another storage provider's signature identifier, then Cloud Storage expects to receive an XML document that uses the corresponding storage provider's ACL syntax.
For more information about using the XML API for interoperability with Amazon S3, see Simple migration from Amazon S3 to Cloud Storage.
- Learn how to use IAM policies with Cloud Storage.
- Learn how to use ACLs with Cloud Storage.
- Review the IAM reference table for Cloud Storage.