Google Cloud Storage

Storage Bucket Retention Policy Expired

Ensures that the storage bucket’s retention policy is not expired.

Risk Level: Medium

Description

This plugin ensures that the retention policy of the Google Cloud Storage buckets hasn’t expired. Google Cloud Storage allows you to add a retention policy to the storage buckets to set a retention period. This ensures that the buckets do not get accidentally deleted until the retention period ends.

About the Service

Google Cloud Storage:

Google Cloud Storage is a service that provides dependable and secure storage classes for any workload, allowing users to select cost-effective storage alternatives based on their requirements. You can effortlessly move data to Cloud storage and benefit from its strong security and scalability features. To know more, read here

Impact

If a storage bucket’s retention policy has expired, the objects in the bucket can be deleted or replaced at any time. This poses a risk because the buckets could be accidentally deleted or modified, resulting in data loss.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  4. Select the storage bucket you want to investigate from the list of buckets displayed and go to the PROTECTION tab of the selected bucket.
  5. Under the Retention policy section,  check to see if the retention policy is still in effect. If the retention period plus the effective date results in a date that is earlier than the current date, the retention policy is out of date and must be revised.
    Note: If no retention period is being displayed, the bucket's retention policy hasn't been set up. To set up the retention policy, refer to the link here.
  6. Repeat steps 4 and 5 for all the buckets you want to reconfigure in the selected project.
  7. If you have multiple projects, repeat steps 2 to 4 for each project in your GCP Console. 

Steps for Remediation

If the retention policy of your bucket(s) has expired, make the necessary changes to configure it using the steps below.


Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  4. Select the storage bucket you want to reconfigure from the list of buckets displayed and go to the PROTECTION tab of the selected bucket. (In case you aren’t sure which storage bucket needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  5. In the Retention policy section, click on the EDIT button to edit the retention policy.


  6. In the Edit retention policy dialog box, fill in your desired Retention period and click SAVE.
  7. Repeat steps 4 to 7 for all the buckets you want to reconfigure in the selected project.
  8. If you have multiple projects, repeat steps 2 to 9 for each project in your GCP console.