GCP-Storage-bucket-with-harmful-object-life-cycle

Severity: Medium

Description: This control ensures that there are no rules with "Action = Delete" or "Age < 90 days AND Action = Delete". There should be no Lifecycle rule which have condition to delete versioned objects, as they will be automatically deleted after their retention period is over.

Remediation Steps:

Perform following to enable flow log for subnet :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Go to Cloud Storage browser.

3. Click reported storage bucket

4. In Bucket Details, Go to lifecycle tab.

5. Delete the rules with "Age < 90 days and Action = Delete" or "Action = Delete".

Important:

The only exception to this is rule is when the condition is age greater than 90 days and action is delete, then the control should pass for that bucket, if there are no other 'delete' actions present.

Reference:

• GCP Best Practice control

• https://cloud.google.com/storage/docs/json_api/v1/buckets/get

• https://cloud.google.com/storage/docs/lifecycle