This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for Cloud Storage, extended. This posture includes two policy sets:
A policy set that includes organization policies that apply to Cloud Storage.
A policy set that includes Security Health Analytics detectors that apply to Cloud Storage.
You can use this predefined posture to configure a security posture that helps protect Cloud Storage. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.
Organization policy constraints
The following table describes the organization policies that are included in this posture.
Policy | Description | Compliance standard |
---|---|---|
storage.publicAccessPrevention |
This policy prevents Cloud Storage buckets from being open to unauthenticated public access. The value is |
NIST SP 800-53 control: AC-3, AC-17, and AC-20 |
storage.uniformBucketLevelAccess |
This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing. The value is |
NIST SP 800-53 control: AC-3, AC-17, and AC-20 |
storage.retentionPolicySeconds |
This constraint defines the duration (in seconds) for the retention policy for buckets. You must configure this value when you adopt this predefined posture. |
NIST SP 800-53 control: SI-12 |
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.
Detector name | Description |
---|---|
BUCKET_LOGGING_DISABLED |
This detector checks whether there is a storage bucket without logging enabled. |
LOCKED_RETENTION_POLICY_NOT_SET |
This detector checks whether the locked retention policy is set for logs. |
OBJECT_VERSIONING_DISABLED |
This detector checks whether object versioning is enabled on storage buckets with sinks. |
BUCKET_CMEK_DISABLED |
This detector checks whether buckets are encrypted using customer-managed encryption keys (CMEK). |
BUCKET_POLICY_ONLY_DISABLED |
This detector checks whether uniform bucket-level access is configured. |
PUBLIC_BUCKET_ACL |
This detector checks whether a bucket is publicly accessible. |
PUBLIC_LOG_BUCKET |
This detector checks whether a bucket with a log sink is publicly accessible. |
ORG_POLICY_LOCATION_RESTRICTION |
This detector checks whether a Compute Engine resource is out of compliance with the |
YAML definition
The following is the YAML definition for the predefined posture for Cloud Storage.
name: organizations/123/locations/global/postureTemplates/cloud_storage_extended
description: Posture Template to make your Cloud storage workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Cloud storage preventative policy set
description: 3 org policies that new customers can automatically enable.
policies:
- policy_id: Enforce Public Access Prevention
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.publicAccessPrevention
policy_rules:
- enforce: true
description: This governance policy prevents access to existing and future resources via the public internet by disabling and blocking Access Control Lists (ACLs) and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
- policy_id: Enforce uniform bucket-level access
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.uniformBucketLevelAccess
policy_rules:
- enforce: true
description: This boolean constraint requires buckets to use uniform bucket-level access where this constraint is set to TRUE.
- policy_id: Retention policy duration in seconds
compliance_standards:
- standard: NIST SP 800-53
control: SI-12
constraint:
org_policy_constraint:
canned_constraint_id: storage.retentionPolicySeconds
policy_rules:
- enforce: true
description: This list constraint defines the set of durations for retention policies that can be set on Cloud Storage buckets. By default, if no organization policy is specified, a Cloud Storage bucket can have a retention policy of any duration. The list of allowed durations must be specified as a positive integer value greater than zero, representing the retention policy in seconds. Any insert, update, or patch operation on a bucket in the organization resource must have a retention policy duration that matches the constraint. Enforcement of this constraint is not retroactive. When a new organization policy is enforced, the retention policy of existing buckets remains unchanged and valid.
- policy_set_id: Cloud storage detective policy set
description: 8 SHA modules that new customers can automatically enable.
policies:
- policy_id: Bucket logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_LOGGING_DISABLED
- policy_id: Locked retention policy not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOCKED_RETENTION_POLICY_NOT_SET
- policy_id: Object versioning disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OBJECT_VERSIONING_DISABLED
- policy_id: Bucket CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_CMEK_DISABLED
- policy_id: Bucket policy only disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_POLICY_ONLY_DISABLED
- policy_id: Public bucket ACL
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_BUCKET_ACL
- policy_id: Public log bucket
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_LOG_BUCKET
- policy_id: Org policy location restriction
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ORG_POLICY_LOCATION_RESTRICTION