Google CloudOverview
Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Rationale
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Cloud Logging receives new log entries, they are compared against each sink. If a log entry matches a sink's filter, then a copy of the log entry is written to the destination. Sinks can be configured to export logs in storage buckets. It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed. This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.
Impact
Locking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the retention policy from the bucket or decrease the retention period for the policy. You will then have to wait for the retention period for all items within the bucket before you can delete them, and then the bucket.
Remediation guidance
From Google Cloud Console
- If sinks are not configured, first follow the instructions in the recommendation: Ensure that sinks are configured for all Log entries
- For each storage bucket configured as a sink, go to the Cloud Storage browser at https://console.cloud.google.com/storage/browser/
. - Select the
Bucket Locktab near the top of the page. - In the Retention policy entry, click the Add Duration link. The
Set a retention policydialog box appears. - Enter the desired length of time for the retention period and click
Save policy. - Set the
Lock statusfor this retention policy to Locked.
Using Google Cloud CLI
- To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=<folderID> | --organization=<organizationID> | --project=<projectID>
- For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set <timeDuration> gs://<bucketName>
gsutil retention lock gs://<bucketName>
For more information, visit https://cloud.google.com/storage/docs/using-bucket-lock#setpolicy
Default value
By default, storage buckets used as log sinks do not have retention policies and Bucket Lock configured.
References
- https://cloud.google.com/storage/docs/bucket-lock
- https://cloud.google.com/storage/docs/using-bucket-lock
- https://cloud.google.com/storage/docs/bucket-lock
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}
