Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock

Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks. Logs can be exported by creating one or more sinks that include a log filter and a destination. As Cloud Logging receives new log entries, they are compared against each sink. If a log entry matches a sink's filter, then a copy of the log entry is written to the destination. Sinks can be configured to export logs in storage buckets. It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed. This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations. Locking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the retention policy from the bucket or decrease the retention period for the policy.

Risk Level: High
Cloud Entity: Storage Bucket
CloudGuard Rule ID: D9.GCP.OPE.03
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageBucket where getResource('LogSink',id,'storageBucketId') should have retentionPolicy.isLocked

REMEDIATION

From Portal

  1. If sinks are not configured, first follow the instructions in the recommendation: Ensure that sinks are configured for all Log entries.
  2. For each storage bucket configured as a sink, go to the Cloud Storage browser at https://console.cloud.google.com/storage/browser.
  3. Select the Bucket Lock tab near the top of the page.
  4. In the Retention policy entry, click the Add Duration link. The Set a retention policy dialog box appears.
  5. Enter the desired length of time for the retention period and click Save policy.
  6. Set the Lock status for this retention policy to Locked.

From TF

  1. In your template for the resource: google_storage_bucket, make sure retention_policy block is present with arguments: retention_period = duration and is_locked = true.
resource "google_storage_bucket" "MY_BUCKET" {
	name = "examplebucket"
	project = "MY PROJECT ID"
	location = "location"
	
	retention_policy {
		retention_period = desired duration
		is_locked = true
	}
}

From Command Line

  1. To list all sinks destined to storage buckets,Use:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
  1. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]

For gsutil, when specifying a retention period, you specify an integer and a unit, where the unit can be s, d, m, or y to signify seconds, days, months, or years, respectively. Only one unit of time can be used in a command. For example, you can use 86400s or 1d, but you cannot use 1d30s.

References

  1. https://cloud.google.com/storage/docs/bucket-lock
  2. https://cloud.google.com/storage/docs/using-bucket-lock
  3. https://cloud.google.com/storage/docs/bucket-lock

Storage Bucket

Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Because there are limits to bucket creation and deletion, you should design your storage applications to favor intensive object operations and relatively few buckets operations.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0