[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nThis page describes the preventative and detective policies that are included in\nthe v1.0 version of the predefined posture for Cloud Storage, essentials. This posture\nincludes two policy sets:\n\n- A policy set that includes organization policies that apply to\n Cloud Storage.\n\n- A policy set that includes Security Health Analytics detectors that apply to\n Cloud Storage.\n\nYou can use this predefined posture to configure a security posture that helps\nprotect Cloud Storage. You can deploy this predefined posture without making\nany changes.\n\nOrganization policy constraints\n\nThe following table describes the organization policies that are included in\nthis posture.\n\n| Policy | Description | Compliance standard |\n|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|\n| `storage.publicAccessPrevention` | This policy prevents Cloud Storage buckets from being open to unauthenticated public access. The value is `true` to prevent public access to buckets. | NIST SP 800-53 control: AC-3, AC-17, and AC-20 |\n| `storage.uniformBucketLevelAccess` | This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing. The value is `true` to enforce [uniform bucket-level access](/storage/docs/uniform-bucket-level-access). | NIST SP 800-53 control: AC-3, AC-17, and AC-20 |\n\nSecurity Health Analytics detectors\n\nThe following table describes the Security Health Analytics detectors that are included in\nthe predefined posture. For more information about these detectors, see\n[Vulnerability findings](/security-command-center/docs/concepts-vulnerabilities-findings).\n\n| Detector name | Description |\n|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|\n| `BUCKET_LOGGING_DISABLED` | This detector checks whether there is a storage bucket without logging enabled. |\n| `LOCKED_RETENTION_POLICY_NOT_SET` | This detector checks whether the locked retention policy is set for logs. |\n| `OBJECT_VERSIONING_DISABLED` | This detector checks whether object versioning is enabled on storage buckets with sinks. |\n| `BUCKET_CMEK_DISABLED` | This detector checks whether buckets are encrypted using customer-managed encryption keys (CMEK). |\n| `BUCKET_POLICY_ONLY_DISABLED` | This detector checks whether uniform bucket-level access is configured. |\n| `PUBLIC_BUCKET_ACL` | This detector checks whether a bucket is publicly accessible. |\n| `PUBLIC_LOG_BUCKET` | This detector checks whether a bucket with a log sink is publicly accessible. |\n| `ORG_POLICY_LOCATION_RESTRICTION` | This detector checks whether a Compute Engine resource is out of compliance with the `constraints/gcp.resourceLocations` constraint. |\n\nView the posture template\n\n\nTo view the posture template for Cloud Storage, essentials, do the following: \n\ngcloud\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nExecute the\n\n\n[`gcloud scc posture-templates\ndescribe`](/sdk/gcloud/reference/scc/posture-templates/describe)\n\n\ncommand:\n\nLinux, macOS, or Cloud Shell \n\n```bash\ngcloud scc posture-templates describe \\\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_essential\n```\n\nWindows (PowerShell) \n\n```bash\ngcloud scc posture-templates describe `\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_essential\n```\n\nWindows (cmd.exe) \n\n```bash\ngcloud scc posture-templates describe ^\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_essential\n```\n\nThe response contains the posture template.\n\nREST\n\n\nBefore using any of the request data,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nHTTP method and URL:\n\n```\nGET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_essential\n```\n\nTo send your request, expand one of these options:\n\ncurl (Linux, macOS, or Cloud Shell) **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) , or by using [Cloud Shell](/shell/docs), which automatically logs you into the `gcloud` CLI . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\ncurl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_essential\"\n```\n\nPowerShell (Windows) **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\n$cred = gcloud auth print-access-token\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\nInvoke-WebRequest `\n -Method GET `\n -Headers $headers `\n -Uri \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_essential\" | Select-Object -Expand Content\n```\n\nThe response contains the posture template.\n\nWhat's next\n\n- [Create a security posture using this predefined posture](/security-command-center/docs/how-to-use-security-posture)."]]
