Profile Applicability:
Level 2
Description:
It is recommended to enable retention policies and configure Bucket Lock on all Cloud Storage buckets used as log sinks. This ensures logs are protected from accidental deletion or modification, preserving them for forensic investigations and compliance purposes.
Rationale:
Cloud Logging allows logs to be exported to destinations like Cloud Storage via sinks. To safeguard these logs:
A retention policy ensures logs are stored for a specific period.
Bucket Lock permanently enforces the retention policy, preventing policy modifications or data deletion until the retention period expires.
This prevents tampering or accidental deletion, even in the event of a security breach or malicious activity.
Impact:
Irreversible Action: Once a bucket is locked, its retention policy cannot be removed or reduced.
Deletion Restriction: To delete the bucket, all objects must reach their retention period.
Default Value:
By default, storage buckets used as log sinks do not have retention policies or Bucket Lock configured.
Audit Steps:
Using Google Cloud Console:
Open the Cloud Storage browser: Cloud Storage Console.
Ensure the Retention policy column is enabled in the display options.
Verify that:
Each log sink bucket has a retention period set.
A lock icon appears next to the retention period, indicating Bucket Lock is enabled.
Using Google Cloud CLI:
List sinks configured for storage buckets:
gcloud logging sinks list --folder=FOLDER_ID --organization=ORGANIZATION_ID --project=PROJECT_ID
For each bucket listed, verify retention policies and Bucket Lock:
gsutil retention get gs://BUCKET_NAME
Ensure a retention period is set and Bucket Lock is enabled.
Remediation Steps:
Using Google Cloud Console:
Ensure log sinks are configured (refer to the recommendation on configuring log sinks).
Open the Cloud Storage browser for each sink bucket:nCloud Storage Console.
Navigate to the Bucket Lock tab.
Set a retention policy:
Click Add Duration, specify the retention period, and click Save policy.
Lock the retention policy by selecting Lock status and clicking Locked.
Using Google Cloud CLI:
List sinks for storage buckets:
gcloud logging sinks list --folder=FOLDER_ID --organization=ORGANIZATION_ID --project=PROJECT_ID
Set and lock a retention policy for each bucket:
gsutil retention set [TIME_DURATION] gs://BUCKET_NAME gsutil retention lock gs://BUCKET_NAME
Backout Plan:
If a Mistake is Made Before Locking
Modify the retention period before locking using:
gsutil retention set <NEW_DURATION> gs://<BUCKET_NAME>
If Bucket Lock is Already Enabled (Irreversible)
Wait for the retention period to expire before deleting logs.
Ensure retention policies are reviewed carefully before applying Bucket Lock.