Profile Applicability:

Level 2

Description:

It is recommended to enable retention policies and configure Bucket Lock on all Cloud Storage buckets used as log sinks. This ensures logs are protected from accidental deletion or modification, preserving them for forensic investigations and compliance purposes.

Rationale:

Cloud Logging allows logs to be exported to destinations like Cloud Storage via sinks. To safeguard these logs:

  1. A retention policy ensures logs are stored for a specific period.

  2. Bucket Lock permanently enforces the retention policy, preventing policy modifications or data deletion until the retention period expires.
    This prevents tampering or accidental deletion, even in the event of a security breach or malicious activity.

Impact:

  • Irreversible Action: Once a bucket is locked, its retention policy cannot be removed or reduced.

  • Deletion Restriction: To delete the bucket, all objects must reach their retention period.

Default Value:

By default, storage buckets used as log sinks do not have retention policies or Bucket Lock configured.

Audit Steps:

Using Google Cloud Console:

  1. Open the Cloud Storage browser: Cloud Storage Console.

           

  1. Ensure the Retention policy column is enabled in the display options.

     

  1. Verify that:

    • Each log sink bucket has a retention period set.

    • A lock icon appears next to the retention period, indicating Bucket Lock is enabled.

Using Google Cloud CLI:

List sinks configured for storage buckets:

gcloud logging sinks list --folder=FOLDER_ID --organization=ORGANIZATION_ID --project=PROJECT_ID

For each bucket listed, verify retention policies and Bucket Lock:

gsutil retention get gs://BUCKET_NAME
  • Ensure a retention period is set and Bucket Lock is enabled.

Remediation Steps:

Using Google Cloud Console:

  1. Ensure log sinks are configured (refer to the recommendation on configuring log sinks).

  2. Open the Cloud Storage browser for each sink bucket:nCloud Storage Console.

  1. Navigate to the Bucket Lock tab.

         

  1. Set a retention policy:

    • Click Add Duration, specify the retention period, and click Save policy.

                     

 

  1. Lock the retention policy by selecting Lock status and clicking Locked.

Using Google Cloud CLI:

List sinks for storage buckets:

gcloud logging sinks list --folder=FOLDER_ID --organization=ORGANIZATION_ID --project=PROJECT_ID

Set and lock a retention policy for each bucket:

gsutil retention set [TIME_DURATION] gs://BUCKET_NAME
gsutil retention lock gs://BUCKET_NAME

Backout Plan:

  1. If a Mistake is Made Before Locking

  • Modify the retention period before locking using:

gsutil retention set <NEW_DURATION> gs://<BUCKET_NAME>

  1.  If Bucket Lock is Already Enabled (Irreversible)

  • Wait for the retention period to expire before deleting logs.

  • Ensure retention policies are reviewed carefully before applying Bucket Lock.

References:
  1. Bucket Lock Overview

  2. Setting Retention Policies

  3. Cloud Logging Sinks

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Implement access controls to ensure only authorized individuals can access sensitive data.

14.6 Protect Information through ACLs

Safeguard information using file system, network share, or database access control lists.