services / Google Cloud / Cloud Storage buckets

Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket.

Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.


Even though certain access-related controls are part of the bucket metadata (ACLs, public access settings), those cannot be updated without setIamPolicy. However, the encryption key can be updated with just this permission. An attacker could use their own key (in their own project) to encrypt the data, then disable or delete it, rendering the data unusable until the user can recover the key.



This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.


  • https:​/​/​cloud.​google.​com/​storage/​docs/​access-​control/​iam-​permissions
  • https:​/​/​cloud.​google.​com/​resource-​manager/​docs/​tags/​tags-​creating-​and-​managing
  • https:​/​/​cloud.​google.​com/​storage/​docs/​bucket-​metadata
  • https:​/​/​cloud.​google.​com/​storage/​docs/​json_​api/​v1/​buckets/​update
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog