Google Cloud Storage

Cloud Storage Bucket Versioning Disabled

Ensures that object versioning is enabled on storage buckets.

Risk Level: Medium

Description

This plugin ensures object versioning is enabled on storage buckets. Object versioning is used to retrieve the storage objects that are deleted or replaced. This is achieved by storing multiple versions of the object in the storage bucket. To know more, read here.

About the Service

Google Cloud Storage:

Google Cloud Storage is a service that provides dependable and secure storage classes for any workload, allowing users to select cost-effective storage alternatives based on their requirements. You can effortlessly move data to Cloud storage and benefit from its strong security and scalability features. To know more, read here

Impact

If object versioning is not enabled on your storage buckets, you will not be able to retrieve deleted or replaced objects. This will also complicate the bucket recovery process if there are any hacks, data losses, accidental deletions, etc.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  4. Select the storage bucket you want to investigate from the list of buckets displayed and go to the PROTECTION tab of the selected bucket.
  5. Under the Object versioning section, check if the object versioning is enabled. If it isn't turned on, it will look similar to the screenshot below.

  6. Repeat steps 4 and 5 for all the storage buckets you want to investigate in the selected project.
  7. If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console. 

Steps for Remediation

Determine whether or not you truly require object versioning to be disabled. If not, make the necessary changes to enable it using the steps below.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  4. Select the storage bucket you want to reconfigure from the list of buckets displayed and go to the PROTECTION tab of the selected bucket. (In case you aren’t sure which storage bucket needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  5. Under the Object versioning section, click on the OBJECT VERSIONING OFF button.
    Note: Object versioning and retention policy cannot be used at the same time. If you are not able to perform step 5, delete the retention policy first in order to access object versioning.

  6. In the Turn on object versioning? dialog box, check the Add recommended lifecycle rules to manage version costs option to optimize costs, edit its configurations if desired and click CONFIRM.
  7. Repeat steps 4 to 6 for all the buckets you want to reconfigure in the selected project.
  8. If you have multiple projects, repeat steps 2 to 7 for each project in your GCP console.