Storage Bucket outside of Europe

In order to be complaint, ensure that Storage Bucket region is in europe.

Risk Level: Low
Cloud Entity: Storage Bucket
CloudGuard Rule ID: D9.GCP.AS.07
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageBucket should have region regexMatch /europe_*|eu/i

REMEDIATION

From Portal

  1. Go to Data Transfer page in the Google Cloud Console.
  2. Click Create transfer job.
  3. Choose a source: Use Google Cloud Storage bucket as your source type, and either enter the name of the wanted bucket directly, or click Browse to find and select the bucket you want.
  4. Choose a destination: Either enter the name of the wanted bucket directly, or click Browse to find and select the bucket you want.
  5. Choose settings: Select the option Delete files from source after they're transferred.
  6. click Create.
  7. After Transformation you can delete the empty bucket.

From TF
Set the location to be equal to 'EU':

resource 'google_storage_bucket' 'bucket' {
	..
	location = 'EU'
	..
}

From Command Line
Run

gsutil cp -r gs://SOURCE_BUCKET* gs://DESTINATION_BUCKET

to delete all your objects and the source bucket itself:

gsutil rm -r gs://SOURCE_BUCKET

to delete the objects but keep the source bucket:

gsutil rm -a gs://SOURCE_BUCKET/**

References

  1. https://cloud.google.com/storage/docs/moving-buckets
  2. https://cloud.google.com/storage/docs/creating-buckets#storage-create-bucket-gsutil

Storage Bucket

Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP GDPR Readiness