Logging storage bucket retention policies and Bucket Lock are not configured Affecting Cloud Storage service in Google

Severity Framework Snyk CCSS

Rule category Logging / Retention

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Google CSA-CCM NIST-800-53

Snyk ID SNYK-CC-00374
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A retention policy for a Cloud Storage bucket governs how long objects in the bucket must be retained. Bucket Lock is a feature to permanently restrict edits to the data retention policy. Bucket Lock should be enabled because it preserves activity logs for forensics and security investigations if the system is compromised by an attacker or malicious insider who wants to cover their tracks.

How to fix?

Set the retention_policy.is_locked attribute to true.

Example Configuration

resource "google_storage_bucket" "logs_bucket" {
  name                        = "valid-bucket-lock"
  force_destroy               = true
  uniform_bucket_level_access = true

  retention_policy {
    retention_period = 86400
    is_locked        = true
  }
}

Terraform

Resource: google_storage_bucket

References

Retention policies and retention policy locks