Predefined posture for Cloud Storage, essentials

This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for Cloud Storage, essentials. This posture includes two policy sets:

  • A policy set that includes organization policies that apply to Cloud Storage.

  • A policy set that includes Security Health Analytics detectors that apply to Cloud Storage.

You can use this predefined posture to configure a security posture that helps protect Cloud Storage. You can deploy this predefined posture without making any changes.

Organization policy constraints

The following table describes the organization policies that are included in this posture.

Policy Description Compliance standard
storage.publicAccessPrevention

This policy prevents Cloud Storage buckets from being open to unauthenticated public access.

The value is true to prevent public access to buckets.

 NIST SP 800-53 control: AC-3, AC-17, and AC-20
storage.uniformBucketLevelAccess

This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing.

The value is true to enforce uniform bucket-level access.

 NIST SP 800-53 control: AC-3, AC-17, and AC-20

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name Description
BUCKET_LOGGING_DISABLED

This detector checks whether there is a storage bucket without logging enabled.
LOCKED_RETENTION_POLICY_NOT_SET

This detector checks whether the locked retention policy is set for logs.
OBJECT_VERSIONING_DISABLED

This detector checks whether object versioning is enabled on storage buckets with sinks.
BUCKET_CMEK_DISABLED

This detector checks whether buckets are encrypted using customer-managed encryption keys (CMEK).
BUCKET_POLICY_ONLY_DISABLED

This detector checks whether uniform bucket-level access is configured.
PUBLIC_BUCKET_ACL

This detector checks whether a bucket is publicly accessible.
PUBLIC_LOG_BUCKET

This detector checks whether a bucket with a log sink is publicly accessible.
ORG_POLICY_LOCATION_RESTRICTION

This detector checks whether a Compute Engine resource is out of compliance with the constraints/gcp.resourceLocations constraint.

YAML definition

The following is the YAML definition for the predefined posture for Cloud Storage.

name: organizations/123/locations/global/postureTemplates/cloud_storage_essential
description: Posture Template to make your Cloud storage workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Cloud storage preventative policy set
  description: 2 org policies that new customers can automatically enable.
  policies:
  - policy_id: Enforce Public Access Prevention
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-17
    - standard: NIST SP 800-53
      control: AC-20
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.publicAccessPrevention
        policy_rules:
        - enforce: true
    description: This governance policy prevents access to existing and future resources via the public internet by disabling and blocking Access Control Lists (ACLs) and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
  - policy_id: Enforce uniform bucket-level access
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-17
    - standard: NIST SP 800-53
      control: AC-20
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.uniformBucketLevelAccess
        policy_rules:
        - enforce: true
    description: This boolean constraint requires buckets to use uniform bucket-level access where this constraint is set to TRUE.
- policy_set_id: Cloud storage detective policy set
  description: 8 SHA modules that new customers can automatically enable.
  policies:
  - policy_id: Bucket logging disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_LOGGING_DISABLED
  - policy_id: Locked retention policy not set
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: LOCKED_RETENTION_POLICY_NOT_SET
  - policy_id: Object versioning disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: OBJECT_VERSIONING_DISABLED
  - policy_id: Bucket CMEK disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_CMEK_DISABLED
  - policy_id: Bucket policy only disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_POLICY_ONLY_DISABLED
  - policy_id: Public bucket ACL
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: PUBLIC_BUCKET_ACL
  - policy_id: Public log bucket
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: PUBLIC_LOG_BUCKET
  - policy_id: Org policy location restriction
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: ORG_POLICY_LOCATION_RESTRICTION

What's next