Skip to content

GCP log bucket retention policy is not configured using bucket lock

Description

Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink. If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets. It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed. This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.

Fix - Buildtime

Terraform

  • Resource: google_logging_folder_sink / google_logging_project_sink / google_logging_organization_sink
  • Argument: google_storage_bucket
resource "google_storage_bucket" "log_bucket_bad" {
  name = "organization-logging-bucket"

  retention_policy {
    retention_period = 604800
-   is_locked = false
  }
}

resource "google_storage_bucket" "log_bucket_good" {
  name = "organization-logging-bucket"

  retention_policy {
    retention_period = 604800
+   is_locked = true
  }
}