Organization policy constraints for Cloud Storage

This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket settings across an entire project or organization.

Cloud Storage constraints

The following constraints can be applied to an organization policy and relate to Cloud Storage:

Retention policy duration in seconds

API Name: constraints/storage.retentionPolicySeconds

When you apply the retentionPolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, bucket retention policies must include one of the specified durations. retentionPolicySeconds is enforced with new bucket creation or when adding/updating the retention period of a pre-existing bucket; however, it's not otherwise enforced on pre-existing buckets.

If you set multiple retentionPolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

Enforce uniform bucket-level access

API Name: constraints/storage.uniformBucketLevelAccess

When you apply the uniformBucketLevelAccess constraint, new buckets must enable the uniform bucket-level access feature, and pre-existing buckets with this feature enabled cannot disable it. Pre-existing buckets with uniform bucket-level access disabled are not required to enable it.

Detailed audit logging mode

API Name: constraints/gcp.detailedAuditLoggingMode

When you apply the detailedAuditLoggingMode constraint, Cloud Audit Logs logs associated with Cloud Storage operations contain detailed request and response information. This constraint is recommended to be used in conjunction with Bucket Lock when seeking various compliances such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c).

Logged information includes query parameters, path parameters, and request body parameters. Logs exclude certain parts of requests and responses that are associated with sensitive information. For example, logs exclude:

• Credentials, such as Authorization, X-Goog-Signature, or upload-id.
• Encryption key information, such as x-goog-encryption-key.
• Raw object data.

When using this constraint, note the following:

• Enabling detailedAuditLoggingMode increases the amount of data stored in audit logs, which could affect your Cloud Logging charges for Data Access logs.

• Enabling or disabling detailedAuditLoggingMode takes up to 10 minutes to go into effect.

• Logged requests and responses are recorded in a generic format that matches the field names of the JSON API.

What's next

• Learn about the resource hierarchy that applies to organization policies.
• See Creating and managing organization policies for instructions on working with constraints and organization policies in the Google Cloud Console.
• See Using constraints for instructions on working with constraints and organization policies in gcloud.
• See the Resource Manager API reference documentation for relevant API methods, such as projects.setOrgPolicy.