Ensure that Cloud Storage bucket has usage logs enabled

Turn on usage logs on your Storage Bucket in order to log access of users to public resources, and follow changes with to Object Lifecycle Management feature. Other actions are logged with Cloud Audit Logs, which has to be enabled as well.

Risk Level: Low
Cloud Entity: Storage Bucket
CloudGuard Rule ID: D9.GCP.LOG.01
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageBucket should have logging

REMEDIATION

From Command Line
In order to enable usage logs you should:

  1. Create a bucket to store the logs:
gsutil mb gs://Bucket_for_logs_storing
  1. Grant it with 'roles/storage.legacyBucketWriter' permissions:
gsutil iam ch group:[email protected]:legacyBucketWriter gs://<Bucket for logs storing>
  1. Enable usage logging to your desired logs:
gsutil logging set on -b gs://<Bucket for logs storing> gs://<Bucket to log>

References

  1. https://cloud.google.com/storage/docs/gsutil/commands/mb
  2. https://cloud.google.com/storage/docs/gsutil/commands/iam
  3. https://cloud.google.com/storage/docs/gsutil/commands/logging
  4. https://cloud.google.com/storage/docs/access-logs

Storage Bucket

Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CSA CCM v.3.0.1
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0