GCP-Storage-bucket-retention-policies-on-log-buckets-configured-using-bucket-lock

Severity: Medium

Description: This control ensures that the retention policy is defined and locked for a Cloud Storage bucket. The Bucket Lock feature allows defining a data retention policy for a Cloud Storage bucket. This retention policy governs how long objects in the bucket must be retained. This policy can also be locked, permanently preventing the policy from being reduced or removed.

Remediation Steps:

Perform following to configure lock status on bucket retention policy:

1. Sign in to GCP Console https://console.cloud.google.com.

2. Goto the Cloud Storage browser

3. Select the storage bucket configured as log sink.

4. Select the Protection tab near the top of the page.

5. In the Retention policy entry, click the Add duration link. The Set a retention policy dialog box will appear. 

6. Enter the desired length of time for your retention period and click Save policy.

7. Set the Lock status for this retention policy to Locked.

Important:

Locking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the retention policy from the bucket or decrease the retention period for the policy

Reference:

• CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #2.3

• https://cloud.google.com/storage/docs/bucket-lock

• https://cloud.google.com/storage/docs/using-bucket-lock