Organization policy constraints for Cloud Storage

This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket and object behaviors across an entire project or organization.

Cloud Storage constraints

The following constraints can be applied to an organization policy and relate to Cloud Storage:

Enforce public access prevention

API Name: constraints/storage.publicAccessPrevention

When you apply the publicAccessPrevention constraint on a resource, public access is restricted for all buckets and objects, both new and existing, under that resource.

Note that enabling or disabling publicAccessPrevention may take up to 10 minutes to go into effect.

Retention policy duration in seconds

API Name: constraints/storage.retentionPolicySeconds

When you apply the retentionPolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, bucket retention policies must include one of the specified durations. retentionPolicySeconds is required with new bucket creation or when adding/updating the retention period of a pre-existing bucket; however, it's not otherwise required on pre-existing buckets.

If you set multiple retentionPolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

Require uniform bucket-level access

API Name: constraints/storage.uniformBucketLevelAccess

When you apply the uniformBucketLevelAccess constraint, new buckets must enable the uniform bucket-level access feature, and pre-existing buckets with this feature enabled cannot disable it. Pre-existing buckets with uniform bucket-level access disabled are not required to enable it.

Detailed audit logging mode

API Name: constraints/gcp.detailedAuditLoggingMode

When you apply the detailedAuditLoggingMode constraint, Cloud Audit Logs logs associated with Cloud Storage operations contain detailed request and response information. This constraint is recommended to be used in conjunction with Bucket Lock when seeking various compliances such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c).

Logged information includes query parameters, path parameters, and request body parameters. Logs exclude certain parts of requests and responses that are associated with sensitive information. For example, logs exclude:

  • Credentials, such as Authorization, X-Goog-Signature, or upload-id.
  • Encryption key information, such as x-goog-encryption-key.
  • Raw object data.

When using this constraint, note the following:

  • Enabling detailedAuditLoggingMode increases the amount of data stored in audit logs, which could affect your Cloud Logging charges for Data Access logs.

  • Enabling or disabling detailedAuditLoggingMode takes up to 10 minutes to go into effect.

  • Logged requests and responses are recorded in a generic format that matches the field names of the JSON API.

What's next