Organization policy constraints for Cloud Storage

This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket settings across an entire project or organization.

Cloud Storage constraints

The following constraints can be applied to an organization policy and relate to Cloud Storage:

Retention policy duration in seconds

API Name: constraints/storage.retentionPolicySeconds

When you apply the retentionPolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, bucket retention policies must include one of the specified durations. retentionPolicySeconds is enforced with new bucket creation or when adding/updating the retention period of a pre-existing bucket; however, it's not otherwise enforced on pre-existing buckets.

If you set multiple retentionPolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

Enforce uniform bucket-level access

API Name: constraints/storage.uniformBucketLevelAccess

When you apply the uniformBucketLevelAccess constraint, buckets must use uniform bucket-level access. This constraint is enforced with new bucket creation and for any pre-existing bucket that has uniform bucket-level access enabled; however, it's not enforced on pre-existing buckets that have uniform bucket-level access disabled.

Detailed audit logging mode

API Name: constraints/gcp.detailedAuditLoggingMode

When you apply the detailedAuditLoggingMode constraint, Cloud Audit Logs logs associated with Cloud Storage operations contain detailed request and response information. This constraint is recommended to be used in conjunction with Bucket Lock when seeking various compliances such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c).

Logged information includes query parameters, path parameters, and request body parameters. Logs exclude certain parts of requests and responses that are associated with sensitive information. For example, logs exclude:

  • Credentials, such as Authorization, X-Goog-Signature, or upload-id.
  • Encryption key information, such as x-goog-encryption-key.
  • Raw object data.

When using this constraint, note the following:

  • Enabling detailedAuditLoggingMode increases the amount of data stored in audit logs, which could affect your Cloud Logging charges for Data Access logs.

  • Enabling or disabling detailedAuditLoggingMode takes up to 10 minutes to go into effect.

  • Logged requests and responses are recorded in a generic format that matches the field names of the JSON API.

What's next