Predefined posture for Cloud Storage, extended

This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for Cloud Storage, extended. This posture includes two policy sets:

A policy set that includes organization policies that apply to Cloud Storage.
A policy set that includes Security Health Analytics detectors that apply to Cloud Storage.

You can use this predefined posture to configure a security posture that helps protect Cloud Storage. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.

Organization policy constraints

The following table describes the organization policies that are included in this posture.

Policy Description Compliance standard

Policy	Description	Compliance standard
`storage.publicAccessPrevention`	This policy prevents Cloud Storage buckets from being open to unauthenticated public access. The value is `true` to prevent public access to buckets.	NIST SP 800-53 control: AC-3, AC-17, and AC-20
`storage.uniformBucketLevelAccess`	This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing. The value is `true` to enforce uniform bucket-level access.	NIST SP 800-53 control: AC-3, AC-17, and AC-20
`storage.retentionPolicySeconds`	This constraint defines the duration (in seconds) for the retention policy for buckets. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SI-12

storage.publicAccessPrevention

This policy prevents Cloud Storage buckets from being open to unauthenticated public access.

The value is true to prevent public access to buckets.

NIST SP 800-53 control: AC-3, AC-17, and AC-20

storage.uniformBucketLevelAccess

This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing.

The value is true to enforce uniform bucket-level access.

NIST SP 800-53 control: AC-3, AC-17, and AC-20

storage.retentionPolicySeconds

This constraint defines the duration (in seconds) for the retention policy for buckets.

You must configure this value when you adopt this predefined posture.

NIST SP 800-53 control: SI-12

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name	Description
`BUCKET_LOGGING_DISABLED`	This detector checks whether there is a storage bucket without logging enabled.
`LOCKED_RETENTION_POLICY_NOT_SET`	This detector checks whether the locked retention policy is set for logs.
`OBJECT_VERSIONING_DISABLED`	This detector checks whether object versioning is enabled on storage buckets with sinks.
`BUCKET_CMEK_DISABLED`	This detector checks whether buckets are encrypted using customer-managed encryption keys (CMEK).
`BUCKET_POLICY_ONLY_DISABLED`	This detector checks whether uniform bucket-level access is configured.
`PUBLIC_BUCKET_ACL`	This detector checks whether a bucket is publicly accessible.
`PUBLIC_LOG_BUCKET`	This detector checks whether a bucket with a log sink is publicly accessible.
`ORG_POLICY_LOCATION_RESTRICTION`	This detector checks whether a Compute Engine resource is out of compliance with the `constraints/gcp.resourceLocations` constraint.

View the posture template

To view the posture template for Cloud Storage, extended, do the following:

gcloud

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended

Windows (PowerShell)

gcloud scc posture-templates describe `
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended

Windows (cmd.exe)

gcloud scc posture-templates describe ^
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended" | Select-Object -Expand Content

The response contains the posture template.

What's next

Create a security posture using this predefined posture.