Ensure logging is enabled for Google Cloud Storage Buckets

LOW

Description

Logging allows administrators to audit storage bucket use, which is often required by compliance frameworks or industry regulations. For more information on storage logs, see the GCP documentation.
References:
https://cloud.google.com/storage/docs/access-logs

Remediation

Audit logging is configured in the GCP Console UI, however log delivery is configured using the gsutil command-line or with Terraform. For more information on log delivery, see the GCP access-logs documentation (below).

To configure Audit logging:
In GCP Console -

Log into the GCP Console and go to IAM.
Select Audit Logs in the navigation bar.
Use the filter to find Cloud Storage and select the result.
Enable the specific log types as needed and select Save.

To configure log delivery:
In Terraform -

In the google_storage_bucket resource, configure the logging block with a log_bucket location for log storage.

References:
https://cloud.google.com/storage/docs/access-logs
https://cloud.google.com/storage/docs/audit-logging
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#nested_logging

Policy Details

Rule Reference ID: AC_GCP_0233

CSP: GCP

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: google_storage_bucket

Resource Category: Storage

Resource Type: Bucket

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001
SOC2