GCP-Storage-log-buckets-have-object-versioning-disabled

Severity: Medium

Description: This control identifies Storage log buckets which have object versioning disabled. Enabling object versioning on storage log buckets will protect your cloud storage data from being overwritten or accidentally deleted. It is recommended to enable object versioning feature on all storage buckets where sinks are configured.

Remediation Steps:

Perform the following to enable versioning on storage bucket:

1. To list all sinks destined to storage buckets

   • gcloud logging sinks list | grep storage.googleapis.com

2. For every storage bucket listed above, verify that object versioning is Enabled

   • gsutil versioning get gs://<Bucket>. Output for this command should return Enabled.

3. To enable object versioning on storage log bucket:\n

   • gsutil versioning set on gs://<Bucket>

Importent:

Presently Object versioning can be enabled on storage log buckets using command line interface only

Reference: