Best practice rules for GCP Cloud Storage
- Bucket Policies with Administrative Permissions
Ensure that your Google Cloud Storage buckets are not configured with admin permissions.
- Check for Publicly Accessible Cloud Storage Buckets
Ensure there are no publicly accessible Cloud Storage buckets available within your Google Cloud Platform (GCP) account.
- Check for Sufficient Data Retention Period
Ensure there is a sufficient retention period configured for Google Cloud Storage objects.
- Configure Retention Policies with Bucket Lock
Ensure that the log bucket retention policies are using the Bucket Lock feature.
- Define index page suffix and error page for the bucket website configuration
Ensure that bucket website configuration includes main page suffix and error page.
- Detect GCP Cloud Storage Configuration Changes
Cloud Storage configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable Data Access Audit Logs
Ensure that Data Access audit logs are enabled for your Google Cloud Storage buckets.
- Enable Lifecycle Management for Cloud Storage Objects
Ensure that Google Cloud Storage objects are using a lifecycle configuration for cost management.
- Enable Object Encryption with Customer-Managed Keys
Ensure that your Cloud Storage objects are encrypted using Customer-Managed Keys (CMKs).
- Enable Object Versioning for Cloud Storage Buckets
Ensure that object versioning is enabled for your Google Cloud Storage buckets.
- Enable Uniform Bucket-Level Access for Cloud Storage Buckets
Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled.
- Enable Usage and Storage Logs
Ensure that usage and storage logs are enabled for your Google Cloud Storage buckets.
- Enforce Public Access Prevention
Ensure that Public Access Prevention is enabled for your Google Cloud Storage buckets.
- Secure CORS Configuration
Ensure that CORS configuration for your Google Cloud Storage buckets is compliant.
- Use VPC Service Controls for Cloud Storage Buckets
Ensure that VPC Service Controls are used to protect your Google Cloud Storage buckets from data exfiltration.