Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Retention Policies with Bucket Lock

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudStorage-003

Ensure that all the retention policies attached to your Google Cloud log sink buckets are configured with the Bucket Lock feature. Enabling retention policies for your log buckets will protect the logging data stored within these buckets from being overwritten or accidentally deleted. As an additional layer of security, the Bucket Lock feature allows you to lock the data retention policy attached to your buckets in order to make sure that no one (including you) can shorten or cancel the retention policy duration.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

By default, the Google Cloud Storage buckets used as log sink buckets do not have retention policies enabled and Bucket Lock configured. Enabling retention policies for your log buckets will guarantee you that all current and future objects in those buckets cannot be deleted or overwritten until they reach the age defined within the policies. Any attempts to delete or overwrite objects whose age is less than the retention period configured will fail and return a 403 (retentionPolicyNotMet) error. Locking your retention policies with Bucket Lock feature will prevent the policies from being reduced or removed. In this way, if your project becomes compromised by an attacker or a malicious insider who wants to cover his tracks, the logging data stored inside your log buckets is definitively preserved for forensics and security investigations.

Note: Locking a Google Cloud Storage bucket is an irreversible action. Once your log bucket is locked, you cannot remove the retention policy from the bucket or decrease the retention period set for the policy.


Audit

To determine if the retention policies configured for your log sink buckets are using the Bucket Lock feature, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Logging console at https://console.cloud.google.com/logs.

04 In the main navigation panel, select Logs Router to access all the log sinks created for the selected project.

05 Choose the log sink that you want to examine and copy the name of the destination log bucket available in the Destination column. The name of the bucket is listed just after the Cloud Storage service subdomain, i.e. storage.googleapis.com/<bucket-name>, where <bucket-name> is the name of your bucket. If the log destination identifier, listed in the Destination column, does not have the following format: storage.googleapis.com/<bucket-name>, the log sink is not using a Google Cloud Storage bucket as log destination.

06 Navigate to Google Cloud Storage console at https://console.cloud.google.com/storage.

07 In the main navigation panel choose Browser to access all the buckets created for the selected GCP project.

08 Click inside the Filter buckets box, select Name contains, paste the name of the bucket copied at step no. 5, then press Enter to return the Google Cloud Storage bucket used as the destination by the selected log sink.

09 Check the retention policy value, available in the Protection column, for the bucket returned at the previous step. If there is no value (duration of time) configured for the retention policy, the selected log sink destination bucket does not have a retention policy configured. If there is a retention policy available in the Protection column but the policy is unlocked (i.e. open-padlock icon is displayed), the bucket's retention policy is not using the Bucket Lock feature to prevent the policy from being modified or removed.

10 Repeat steps no. 5 – 9 for each log sink that is using a Google Cloud Storage bucket as a log destination, listed on the Logs Router page.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-project5-123123
cc-web-prod-123456
cc-internal-123123

03 Run logging sinks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the log storage destination for each log sink created within the selected project:

gcloud logging sinks list
  --project=cc-project5-123123
  --format="json(name,destination)"

04 The command output should return the name and the storage destination of the selected log sink. The name of the bucket is listed just after the Cloud Storage service subdomain, i.e. storage.googleapis.com/<bucket-name>, where <bucket-name> is the name of your bucket. If the log destination identifier, returned as value for the "destination" attribute, does not have the following format: storage.googleapis.com/<bucket-name>, the log sink is not using a Google Cloud Storage bucket as log destination:

[
  {
    "name": "cc-project5-log-sink",
    "destination": "storage.googleapis.com/cc-project5-log-bucket"
  },
  {
    "name": "cc-data-access-log-sink",
    "destination": "storage.googleapis.com/cc-access-log-bucket"
  }
]

05 Run gsutil retention get command (using gsutil tool) using the name of the log storage destination bucket that you want to examine as the identifier parameter to describe the retention policy defined for the selected destination bucket:

gsutil retention get gs://cc-project5-log-bucket

06 If the verified log sink destination bucket does not have a retention policy configured, the gsutil retention get command request should return the following output:

gs://cc-project5-log-bucket/ has no Retention Policy.

07 If the verified destination bucket does have a retention policy configured, but the retention policy is unlocked, the bucket's retention policy is not using the Bucket Lock feature to prevent the policy from being modified or removed. When the retention policy is UNLOCKED, the gsutil retention get command request should return an output like this:

Retention Policy (UNLOCKED):
  Duration: 30 Day(s)
  Effective Time: Fri, 24 Apr 2020 11:25:35 GMT

08 Repeat steps no. 3 – 7 for each log sink that is using a Google Cloud Storage bucket as log destination.

09 Repeat step no. 1 – 8 for each GCP project available within your Google Cloud account.

Remediation / Resolution

To configure locked retention policies for your GCP project log sinks in order to prevent log data objects from being deleted or overwritten, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Cloud Storage console at https://console.cloud.google.com/storage.

04 In the main navigation panel, select Browser to access all the buckets created for the selected GCP project.

05 Click on the name of the log storage destination bucket that you want to reconfigure and select the PROTECTION tab.

06 On the PROTECTION panel, perform one of the following actions:

  1. If the selected bucket does not have a retention policy attached, choose + SET RETENTION POLICY, configure the desired duration under Retention period, then choose SAVE to save the retention policy. Click on the LOCK (padlock icon) next to the Lock status, confirm that you want to lock the policy by providing the bucket name, then choose LOCK POLICY to lock the newly created retention policy.
  2. If the selected log destination bucket does have a retention policy currently attached, click on the LOCK (padlock icon) next to the Lock status to lock the existing retention policy in order to prevent it from being modified or removed. In the confirmation box, confirm that you want to lock the policy by entering the bucket name, then choose LOCK POLICY to lock the retention policy.

07 Repeat step no. 5 and 6 for each log sink that you want to reconfigure, created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run gsutil retention set command (using gsutil tool) with the name of the log storage destination bucket that you want to reconfigure as identifier parameter, to enable the bucket's retention policy and set the retention period. A retention period is the amount of time the objects in the bucket must be retained. The following example sets the retention period to 30 days:

gsutil retention set 30d gs://cc-project5-log-bucket

02 The command output should return the gsutil retention set request status:

Setting Retention Policy on gs://cc-project5-log-bucket/...

03 Run gsutil retention lock command (using gsutil Python tool) to lock the retention policy enabled at the previous steps in order to prevent it from being modified or removed:

gcloud retention lock gs://cc-project5-log-bucket

04 Type Y (Yes) to confirm locking the retention policy for the specified bucket:

This will PERMANENTLY set the Retention Policy on gs://cc-project5-log-bucket to:
Retention Policy (UNLOCKED):
Duration: 30 Day(s)
Effective Time: Fri, 24 Apr 2020 13:47:20 GMT
This setting cannot be reverted! Continue? [y|N]: Y

05 The command output should return the gsutil retention lock request status:

Locking Retention Policy on gs://cc-project5-log-bucket/...

06 Repeat steps no. 1 – 5 for each GCP project available within your Google Cloud account.

References

Publication date Oct 28, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Configure Retention Policies with Bucket Lock

Risk Level: Medium