π‘οΈ Google Storage Bucket with Log Sink does not have Versioningπ’
- Contextual name: π‘οΈ Bucket with Log Sink does not have Versioningπ’
- ID:
/ce/ca/google/storage/bucket-versioning - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Descriptionβ
Descriptionβ
This policy identifies Google Storage Bucket used as destinations for Cloud Logging sinks that do not have Object Versioning enabled.
Rationaleβ
Log data is essential for security auditing, incident response, and operational troubleshooting. Storing logs in a Cloud Storage bucket without Object Versioning introduces the risk of data lossβif a log object is overwritten or deleted, whether accidentally or maliciously, it cannot be recovered.
Enabling Object Versioning ensures that all previous versions of log objects are retained. This provides a reliable safeguard, allowing recovery of prior log versions when necessary and maintaining the integrity and continuity of your audit trail.
Impactβ
Enabling Object Versioning may increase storage costs due to the retention of multiple object versions.
Auditβ
This policy flags a Google Storage Bucket as
INCOMPLIANTif it hasVersioning Enabledcheckbox set to false and the Bucket has a related Google Logging Log Sink as its log destination.
Remediationβ
Remediationβ
Enable Object Versioningβ
From gcloud CLIβ
To enable versioning finding, use the
--versioningflag:```sh
gcloud storage buckets update gs://{{bucket-name}} --versioning
```