Predefined posture for Cloud Storage, extended

This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for Cloud Storage, extended. This posture includes two policy sets:

A policy set that includes organization policies that apply to Cloud Storage.
A policy set that includes Security Health Analytics detectors that apply to Cloud Storage.

You can use this predefined posture to configure a security posture that helps protect Cloud Storage. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.

Organization policy constraints

The following table describes the organization policies that are included in this posture.

Policy Description Compliance standard

Policy	Description	Compliance standard
`storage.publicAccessPrevention`	This policy prevents Cloud Storage buckets from being open to unauthenticated public access. The value is `true` to prevent public access to buckets.	NIST SP 800-53 control: AC-3, AC-17, and AC-20
`storage.uniformBucketLevelAccess`	This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing. The value is `true` to enforce uniform bucket-level access.	NIST SP 800-53 control: AC-3, AC-17, and AC-20
`storage.retentionPolicySeconds`	This constraint defines the duration (in seconds) for the retention policy for buckets. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SI-12

storage.publicAccessPrevention

This policy prevents Cloud Storage buckets from being open to unauthenticated public access.

The value is true to prevent public access to buckets.

NIST SP 800-53 control: AC-3, AC-17, and AC-20

storage.uniformBucketLevelAccess

This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing.

The value is true to enforce uniform bucket-level access.

NIST SP 800-53 control: AC-3, AC-17, and AC-20

storage.retentionPolicySeconds

This constraint defines the duration (in seconds) for the retention policy for buckets.

You must configure this value when you adopt this predefined posture.

NIST SP 800-53 control: SI-12

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name	Description
`BUCKET_LOGGING_DISABLED`	This detector checks whether there is a storage bucket without logging enabled.
`LOCKED_RETENTION_POLICY_NOT_SET`	This detector checks whether the locked retention policy is set for logs.
`OBJECT_VERSIONING_DISABLED`	This detector checks whether object versioning is enabled on storage buckets with sinks.
`BUCKET_CMEK_DISABLED`	This detector checks whether buckets are encrypted using customer-managed encryption keys (CMEK).
`BUCKET_POLICY_ONLY_DISABLED`	This detector checks whether uniform bucket-level access is configured.
`PUBLIC_BUCKET_ACL`	This detector checks whether a bucket is publicly accessible.
`PUBLIC_LOG_BUCKET`	This detector checks whether a bucket with a log sink is publicly accessible.
`ORG_POLICY_LOCATION_RESTRICTION`	This detector checks whether a Compute Engine resource is out of compliance with the `constraints/gcp.resourceLocations` constraint.

YAML definition

The following is the YAML definition for the predefined posture for Cloud Storage.

name: organizations/123/locations/global/postureTemplates/cloud_storage_extended
description: Posture Template to make your Cloud storage workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Cloud storage preventative policy set
  description: 3 org policies that new customers can automatically enable.
  policies:
  - policy_id: Enforce Public Access Prevention
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-17
    - standard: NIST SP 800-53
      control: AC-20
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.publicAccessPrevention
        policy_rules:
        - enforce: true
    description: This governance policy prevents access to existing and future resources via the public internet by disabling and blocking Access Control Lists (ACLs) and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
  - policy_id: Enforce uniform bucket-level access
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-17
    - standard: NIST SP 800-53
      control: AC-20
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.uniformBucketLevelAccess
        policy_rules:
        - enforce: true
    description: This boolean constraint requires buckets to use uniform bucket-level access where this constraint is set to TRUE.
  - policy_id: Retention policy duration in seconds
    compliance_standards:
    - standard: NIST SP 800-53
      control: SI-12
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.retentionPolicySeconds
        policy_rules:
        - enforce: true
    description: This list constraint defines the set of durations for retention policies that can be set on Cloud Storage buckets. By default, if no organization policy is specified, a Cloud Storage bucket can have a retention policy of any duration. The list of allowed durations must be specified as a positive integer value greater than zero, representing the retention policy in seconds. Any insert, update, or patch operation on a bucket in the organization resource must have a retention policy duration that matches the constraint. Enforcement of this constraint is not retroactive. When a new organization policy is enforced, the retention policy of existing buckets remains unchanged and valid.
- policy_set_id: Cloud storage detective policy set
  description: 8 SHA modules that new customers can automatically enable.
  policies:
  - policy_id: Bucket logging disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_LOGGING_DISABLED
  - policy_id: Locked retention policy not set
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: LOCKED_RETENTION_POLICY_NOT_SET
  - policy_id: Object versioning disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: OBJECT_VERSIONING_DISABLED
  - policy_id: Bucket CMEK disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_CMEK_DISABLED
  - policy_id: Bucket policy only disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_POLICY_ONLY_DISABLED
  - policy_id: Public bucket ACL
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: PUBLIC_BUCKET_ACL
  - policy_id: Public log bucket
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: PUBLIC_LOG_BUCKET
  - policy_id: Org policy location restriction
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: ORG_POLICY_LOCATION_RESTRICTION

What's next

Create a security posture using this predefined posture.