Ensure a retention policy is enabled for Google Cloud Storage Buckets

MEDIUM

Description

Google Cloud Storage Buckets should have a retention policy with retention period greater than or equal to 90 days (7776000 seconds). It is considered best practice to set a retention period of 90 days and it is often required for framework compliance or industry regulations.

Remediation

In GCP Console -

Log into the GCP Console and go to Cloud Storage.
Under Buckets, choose the bucket you wish to edit.
Select the Protection tab.
Under Retention policy, select Set Retention Policy.
Enter a value in the period and set the duration type, then select Save.

In Terraform -

In the google_storage_bucket resource, set the retention_policy.retention_period to a value in seconds.

References:
https://cloud.google.com/storage/docs/using-bucket-lock
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#nested_retention_policy

Policy Details

Rule Reference ID: AC_GCP_0266

CSP: GCP

Remediation Available: Yes

Domain: Security Best Practices

Resource: google_storage_bucket

Resource Category: Storage

Resource Type: Bucket

Frameworks

GDPR
HIPAA
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0