π Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock π’
- Contextual name: π og Sink exports logs to a Storage Bucket without Bucket Lock π’
- ID:
/ce/ca/google/logging/storage-bucket-retention-policy - Located in: π Google Logging
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Rationaleβ
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Cloud Logging receives new log entries, they are compared against each sink. If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets. It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed. This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.
Impactβ
... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- If sinks are not configured, first follow the instructions in the recommendation:
Ensure that sinks are configured for all Log entries.- For each storage bucket configured as a sink, go to the Cloud Storage browser at
https://console.cloud.google.com/storage/browser/<BUCKET_NAME>.- Select the Bucket Lock tab near the top of the page.
- In the Retention policy entry, click the Add Duration link. The
Set a retention policydialog box appears.- Enter the desired length of time for the retention period and click
Save policy.- Set the
Lock statusfor this retention policy toLocked.From Google Cloud CLIβ
To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_IDFor each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME] gsutil retention lock gs://[BUCKET_NAME]For more information, visit https://cloud.google.com/storage/docs/using-bucket-lock#set-policy.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - Level 2 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 49 |