🛡️ Google Storage Bucket logging is not enabled🟢

Contextual name: 🛡️ Bucket logging is not enabled🟢
ID: /ce/ca/google/storage/bucket-logging
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟠🟢
- 📗 Google Storage Bucket
- 🧪 test-data.json

Description

Description

This policy identifies Google Cloud Storage Buckets that do not have logging enabled. Enabling logging ensures that all access requests to a bucket are recorded for audit and monitoring purposes.

Rational

Cloud Storage logging captures detailed information about every request made to a bucket, including read, write, and delete operations on objects. These logs are critical for security auditing, monitoring access patterns, and investigating potential security incidents. Without logging, it becomes difficult to determine who accessed your data, when it was accessed, and from where.

Impact

Enabling logging may incur additional costs for storing and processing logs.

Audit

This policy flags a Google Cloud Storage Bucket as INCOMPLIANT if it does not have an associated Logging Bucket.

A Storage Bucket is marked as INAPPLICABLE if it has related Log Source Buckets indicating that it is already designated to store access logs.

Remediation

Open File

Remediation

Using gcloud CLI
Grant Cloud Storage permission to write logs to the logging bucket:
gcloud storage buckets add-iam-policy-binding gs://{{logging-bucket-name}} \
    --member="group:cloud-storage-analytics@google.com" \
    --role="roles/storage.objectCreator"
This grants Cloud Storage (represented by the service group cloud-storage-analytics@google.com) permission to create and store log objects in the designated logging bucket.
Enable access logging on the target bucket:
gcloud storage buckets update gs://{{source-bucket-name}} \
    --log-bucket=gs://{{logging-bucket-name}} \
    [--log-object-prefix={{log-object-prefix}}]
Use the optional --log-object-prefix flag to define a prefix for log object names. The prefix can be up to 900 characters long and must follow valid object naming conventions. If not specified, the source bucket’s name is used as the default prefix.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data

Logic​

Description​

Description​

Rational​

Impact​

Audit​

Remediation​

Remediation​

Using gcloud CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rational

Impact

Audit

Remediation

Remediation

Using gcloud CLI

policy.yaml

Linked Framework Sections