Enable Object Versioning for Cloud Storage Buckets

Risk Level: Medium (should be achieved)

Ensure that your Cloud Storage buckets are configured with object versioning in order to protect your object data from being overwritten or accidentally deleted. Object versioning is a method of keeping multiple variants of an object in the same storage bucket. This preserves data and allows retrieving and restoring every version of every object stored inside the bucket for which versioning has been enabled.

Reliability

With Object Versioning feature enabled, Google Cloud Storage buckets can recover from both unintended user actions and application failures, as the feature allows you to preserve, retrieve, and restore versions of objects. Object versioning acts as an extra layer of data protection and can be used for retention scenarios such as recovering objects that have been accidentally or intentionally deleted, or overwritten by Cloud IAM users or cloud applications.

Audit

To determine if object versioning is enabled for your Cloud Storage buckets, perform the following operations:

Note: Inspecting object versioning configuration for storage buckets using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-project-112233
cc-mobile-project-111222

03 Run gsutil ls command (using gsutil Python tool) to list the identifier of each storage bucket created for the specified GCP project:

gsutil ls -p cc-web-project-112233

04 The command output should return the requested storage resource name(s):

gs://cc-logging-bucket/
gs://cc-analytics-data/

05 Run gsutil versioning get command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as identifier parameter, to describe the configuration status of the Object Versioning feature, set for the selected bucket:

gsutil versioning get gs://cc-logging-bucket

06 The command output should return the requested configuration status:

gs://cc-logging-bucket: Suspended

If the Object Versioning feature status returned by the gsutil versioning get command output is Suspended, as shown in the example above, object versioning is not enabled for the selected Google Cloud Storage bucket.

07 Repeat step no. 5 and 6 for each storage bucket created for the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To support the retrieval of objects that are deleted or overwritten, enable object versioning for your Google Cloud Storage buckets, by performing the following operations:

Note: Enabling the Object Versioning feature for storage buckets using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run gsutil versioning set on command (using gsutil Python tool) using the name of the Cloud Storage bucket that you want to reconfigure as identifier parameter (see Audit section to identify the appropriate bucket), to add an additional layer of data protection for your objects by enabling the Object Versioning feature for the selected storage bucket:

gsutil versioning set on gs://cc-logging-bucket

02 If successful, the output should return the gsutil versioning set on command request status:

Enabling versioning for gs://cc-logging-bucket/...

03 Repeat step no. 1 and 2 to enable object versioning for other Google Cloud Storage buckets created for the selected GCP project.

04 Repeat steps no. 1 – 3 for each project available within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Object Versioning
Using Object Versioning
Object Lifecycle Management

GCP Command Line Interface (CLI) Documentation
gcloud projects list

GSutil Documentation
gsutil tool
ls - List providers, buckets, or objects
versioning - Enable or suspend versioning for one or more buckets

Publication date Apr 21, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Object Versioning for Cloud Storage Buckets

Risk Level: Medium

Audit

Using GCP CLI

Remediation / Resolution

Using GCP CLI

References

Related CloudStorage rules