Logging storage bucket retention policies and Bucket Lock should be configured


A retention policy for a Cloud Storage bucket governs how long objects in the bucket must be retained. Bucket Lock is a feature to permanently restrict edits to the data retention policy. Bucket Lock should be enabled because it preserves activity logs for forensics and security investigations if the system is compromised by an attacker or malicious insider who wants to cover their tracks.

Remediation Steps

Google Cloud Console

  • Navigate to Storage.

  • Select the bucket in which you want to add a retention policy.

  • Select the Retention tab and click + Set Retention Policy.

  • Enter a duration and select the unit of time for your retention period.

  • Click Save.

gcloud CLI

  • List all sinks destined to storage buckets:

    • gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID

  • For each storage bucket listed above, set a retention policy and lock it:

gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]