> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-storage.md).

# cloud storage

SureCloud enumerates all Cloud Storage buckets across monitored GCP projects and inspects each bucket's security configuration. SureCloud checks bucket-level IAM policies for bindings that grant access to `allUsers` or `allAuthenticatedUsers`, verifies whether uniform bucket-level access and public access prevention are enforced, confirms that versioning is enabled where required, and reviews retention policies and object lifecycle rules. This provides continuous evidence that your object storage is configured to prevent unauthorised data exposure.

## Endpoints

| API Call                       | Use Case                                                                                         |
| ------------------------------ | ------------------------------------------------------------------------------------------------ |
| `storage.buckets.list`         | Enumerate all buckets in each project                                                            |
| `storage.buckets.get`          | Retrieve full bucket configuration including IAM configuration, versioning, and retention policy |
| `storage.buckets.getIamPolicy` | Read bucket-level IAM bindings; detect `allUsers` and `allAuthenticatedUsers` bindings           |

## Pagination

The Cloud Storage JSON API uses a `nextPageToken` field for paginated bucket list responses. SureCloud passes the token as the `pageToken` query parameter until no token is returned.

```json
{
  "kind": "storage#buckets",
  "items": [
    { "id": "my-bucket", "name": "my-bucket", "iamConfiguration": { "publicAccessPrevention": "enforced" }, ... }
  ],
  "nextPageToken": "Cg9teS1idWNrZXQtbmFtZQ=="
}
```

## Required permissions

| Role                         | Grants                                                                                     |
| ---------------------------- | ------------------------------------------------------------------------------------------ |
| `roles/iam.securityReviewer` | Includes `storage.buckets.get`, `storage.buckets.list`, and `storage.buckets.getIamPolicy` |

No additional Storage-specific role is needed if `roles/iam.securityReviewer` is already granted at the organisation scope.

## Troubleshooting

<details>

<summary>Buckets from some projects are not appearing</summary>

SureCloud enumerates buckets per project. If a project is not included in the SureCloud connection's project scope, its buckets will not appear.

Confirm that all target projects are covered by the service account's organisation-level role assignment, and that the project is not excluded by a project filter in **SureCloud → Integrations → Google Cloud → Edit Connection**.

</details>

<details>

<summary>Public access prevention shows as "inherited" rather than "enforced"</summary>

A bucket with `publicAccessPrevention: inherited` relies on the organisation policy `constraints/storage.publicAccessPrevention` to determine whether public access is blocked. If that organisation policy is not enforced, `inherited` buckets may still be publicly accessible depending on their IAM bindings.

SureCloud flags `inherited` buckets that also have IAM bindings for `allUsers` or `allAuthenticatedUsers` as high-risk findings. To remove ambiguity, set `publicAccessPrevention: enforced` on each bucket individually, or apply the organisation-level constraint.

</details>

<details>

<summary>IAM policy for some buckets is not being collected</summary>

The `storage.buckets.getIamPolicy` permission is required to read IAM policies. This is included in `roles/iam.securityReviewer`. If IAM policy data is missing for specific buckets, the service account may have been denied at the bucket level via a bucket-specific IAM deny policy.

Review the bucket's IAM policy in **Cloud Storage → \[Bucket] → Permissions** to confirm the service account is not explicitly denied.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-storage.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.