How to disable file name checking from everyone in google cloud storage

1
votes

I realized that after creating a bucket with the default settings anyone who knows the bucket name is able to check for the existence of a file.

Example:

Someone tries the url https://storage.googleapis.com/bucket_name/file_name

If the file doesn't exist the message shown is "The specified key does not exist"

If the file does exist the message is "Anonymous callers do not have storage.objects.get access to object bucket_name/file_name"

This makes easy to discover filenames stored in a bucket, therefore, the privacy of the bucket content is not complete.

I also use S3 storage where the message is "Access denied" for both cases, so there is no way to know if the file is really there.

Is there any way to disable this behavior?

Thanks

1
google-cloud-storagecloud-storage

1 Answers

0
votes

Sorry, but there is currently not any way to get "access denied" for both cases.

Note that even if this did exist, it would not necessarily prevent a timing attack from determining whether the object existed or not. For that reason, it is recommended that you don't store sensitive data in object names, and that you obfuscate object names if determining their existence represents a risk to your business.