Skip to main content

πŸ›‘οΈ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟒

  • Contextual name: πŸ›‘οΈ og Sink exports logs to a Storage Bucket without Bucket Lock🟒
  • ID: /ce/ca/google/logging/storage-bucket-retention-policy
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

Enabling retention policies on log buckets protects logs stored in Cloud Storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.

Rationale​

Logs can be exported by creating one or more sinks that include a log filter and a destination. As Cloud Logging receives new log entries, they are compared against each sink. If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.

Sinks can be configured to export logs to storage buckets. It is recommended to configure a data retention policy for these Cloud Storage buckets and lock the retention policy, which permanently prevents the policy from being reduced or removed. This way, if the system is compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are preserved for forensics and security investigations.

Impact​

Locking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the retention policy from the bucket or decrease the retention period for the policy. You will then have to wait for the retention period for all items within the bucket before you can delete them, and then the bucket.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. If sinks are not configured, first follow the instructions in the recommendation: Ensure that sinks are configured for all Log entries.
  2. For each storage bucket configured as a sink, go to the Cloud Storage browser at https://console.cloud.google.com/storage/browser/{{bucket-name}}.
  3. Select the Bucket Lock tab near the top of the page.
  4. In the Retention policy entry, click the Add Duration link. The Set a retention policy dialog box appears.
  5. Enter the desired length of time for the retention period and click Save policy.
  6. Set the Lock status for this retention policy to Locked.

From Google Cloud CLI​

  1. To list all sinks destined to storage buckets:

    gcloud logging sinks list \
        --folder={{folder-id}}

    gcloud logging sinks list \
        --organization={{organization-id}}

    gcloud logging sinks list \
        --project={{project-id}}

  2. For each storage bucket listed above, set a retention policy and lock it:

    gsutil retention set {{time-duration}} gs://{{bucket-name}}

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 2.3 Ensure that retention policies on log buckets are configured using Bucket Lock - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - Level 2 (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration75no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81179no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)17no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)679no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.2 Protection of log information13no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.18.1.3 Protection of records14no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1127no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1024no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code822no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed14no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested48no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1633no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed7no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested15no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-11 AUDIT RECORD RETENTION12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15559no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102372no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό MP-2 Media Access213no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1065no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5 Secure audit trails so they cannot be altered.518no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.765no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.65no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-3 Restricts Logical Access122no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1327no data