Cyscale
Back to controls

Ensure that logging is enabled for Cloud Storage buckets

Storage Access Logging generates a log that contains access records for each request made to the Storage bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Cloud Storage offers access logs and storage logs in the form of CSV files that can be downloaded and used for analysis/incident response. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. While storage Logs helps to keep track the amount of data stored in the bucket. It is recommended that storage Access Logs and Storage logs are enabled for every Storage Bucket.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Storage Access Logging generates a log that contains access records for each request made to the Storage bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Cloud Storage offers access logs and storage logs in the form of CSV files that can be downloaded and used for analysis/incident response. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. While storage Logs helps to keep track the amount of data stored in the bucket. It is recommended that storage Access Logs and Storage logs are enabled for every Storage Bucket.

Rationale

By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

In most cases, Cloud Audit Logging is the recommended method for generating logs that track API operations performed in Cloud Storage:

  • Cloud Audit Logging tracks access on a continuous basis.
  • Cloud Audit Logging produces logs that are easier to work with.
  • Cloud Audit Logging can monitor many of your Google Cloud Platform services, not just Cloud Storage.

In some cases, you may want to use access & storage logs instead.

You most likely want to use access logs if:

  • You want to track access for public objects.
  • You use Access Control Lists (ACLs) to control access to your objects.
  • You want to track changes made by the Object Lifecycle Management feature.
  • You want your logs to include latency information, or the request and response size of individual HTTP requests.

You most likely want to use storage logs if:

  • You want to track the amount of data stored in your buckets.

Remediation guidance

Using Gsutils

To set Storage Access Logs and Storage logs for a bucket run:

gsutil logging set on -b gs://<bucketName for a bucket used to store logs> gs://<your bucket name>

Default Value

By Default, Access logs and storage logs are not enabled for storage buckets.

References

  1. https://cloud.google.com/storage/docs/access-logs

Google Cloud Console (Asset-Level)

  1. Open the affected project/resource from the finding details in Google Cloud Console.
  2. Navigate to the resource security/configuration settings.
  3. Apply the control-specific secure configuration.
  4. Save and re-run the check.

Multiple Remediation Paths

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

  • GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
  • GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
  • gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Logging is enabled for Cloud Storage buckets

Connectors

Google Cloud

Covered asset types

Bucket

Expected check: eq []

buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon