CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00434
- creditSnyk Research Team
Description
Logging storage bucket retention policies and Bucket Lock should be configured. A retention policy for a Cloud Storage bucket governs how long objects in the bucket must be retained. Bucket Lock is a feature to permanently restrict edits to the data retention policy. Bucket Lock should be enabled because it preserves activity logs for forensics and security investigations if the system is compromised by an attacker or malicious insider who wants to cover their tracks.
How to fix?
Logging storage bucket retention policies and Bucket Lock should be configured.
Example Configuration
resource "google_storage_bucket" "allowed1" {
name = "valid-bucket-434"
location = "us-east1"
force_destroy = true
uniform_bucket_level_access = true
retention_policy {
retention_period = 86400
is_locked = true
}
}
resource "google_logging_project_sink" "allowed1" {
name = "bucket_sink"
destination = "storage.googleapis.com/${google_storage_bucket.allowed1.name}"
filter = "NOT LOG_ID(\"cloudaudit.googleapis.com/activity\") AND NOT LOG_ID(\"externalaudit.googleapis.com/activity\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"externalaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") AND NOT LOG_ID(\"externalaudit.googleapis.com/access_transparency\")"
}