Remediation

From Google Cloud Console

If sinks are not configured, first follow the instructions in the recommendation: Ensure that sinks are configured for all Log entries.
For each storage bucket configured as a sink, go to the Cloud Storage browser at https://console.cloud.google.com/storage/browser/{{bucket-name}}.
Select the Bucket Lock tab near the top of the page.
In the Retention policy entry, click the Add Duration link. The Set a retention policy dialog box appears.
Enter the desired length of time for the retention period and click Save policy.
Set the Lock status for this retention policy to Locked.

From Google Cloud CLI

To list all sinks destined to storage buckets:

gcloud logging sinks list \
    --folder={{folder-id}}

gcloud logging sinks list \
    --organization={{organization-id}}

gcloud logging sinks list \
    --project={{project-id}}

For each storage bucket listed above, set a retention policy and lock it:

gsutil retention set {{time-duration}} gs://{{bucket-name}}
gsutil retention lock gs://{{bucket-name}}

For more information, visit https://cloud.google.com/storage/docs/using-bucket-lock#set-policy.

From Google Cloud Console​

From Google Cloud CLI​

From Google Cloud Console

From Google Cloud CLI