Google Cloud Storage

Storage Bucket Retention Policy Not Locked

Ensures that storage buckets have retention policies locked.

Risk Level: Low

Description

This plugin ensures bucket retention policy is locked. Google Cloud Storage allows you to add a retention policy to the storage buckets to set a retention period. This ensures that the buckets do not get accidentally deleted until the retention period ends. The bucket's retention policy can also be locked, making it permanent. Once the retention policy is locked, you cannot remove or reduce the retention period. 

About the Service

Google Cloud Storage:

Google Cloud Storage is a service that provides dependable and secure storage classes for any workload, allowing users to select cost-effective storage alternatives based on their requirements. You can effortlessly move data to Cloud storage and benefit from its strong security and scalability features. To know more, read here

Impact

If the retention policy is not locked for a storage bucket, it can be changed at any time, allowing the retention period to be shortened or the policy to be deleted entirely. This poses a risk because without a retention policy, buckets can be accidentally deleted or updated, resulting in data loss.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  4. In the list of buckets available, check the Protection column to find out which buckets do not have the Retention policy locked. An image of a lock will be displayed to the left of the retention period if the policy is locked. If this isn't the case, the bucket's retention policy hasn't been locked.
    Note: If no retention period is being displayed, the bucket's retention policy hasn't been set up. To set up the retention policy, refer to the link here.
  5. If you have multiple projects, repeat steps 2 to 4 for each project in your GCP Console. 

Steps for Remediation

Determine whether or not you truly do not require the retention policy to be unlocked. If not, make the necessary changes to lock it using the steps below.


Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  4. Select the storage bucket you want to reconfigure from the list of buckets displayed and go to the PROTECTION tab of the selected bucket. (In case you aren’t sure which storage bucket needs to be configured, follow the steps to reproduce listed above to determine which to choose.)

  5. To lock the retention policy of a bucket, click on the LOCK button in the Retention policy section.
  6. In the Lock retention policy? dialog box, enter the name of the selected bucket in the textbox provided to confirm the action. Then click the LOCK POLICY button to lock the policy.
    Note: This action is permanent and cannot be reversed.
  7. Repeat steps 4 to 6 for all the buckets you want to reconfigure in the selected project.
  8. If you have multiple projects, repeat steps 2 to 7 for each project in your GCP console.