GCP Storage Monitoring

GCP Storage holds data of your customer which should be protected at any cost.

What we do?

Bucket Versioning Should Be Enabled

Ensures object versioning is enabled on storage buckets. Object versioning can help protect against the overwriting of objects or data loss in the event of a compromise.

Bucket Logging Should Be Enabled

Ensures object logging is enabled on storage buckets. Storage bucket logging helps maintain an audit trail of access that can be used in the event of a security incident.

Bucket Should Not Allow Global Access

Ensures Storage bucket policies do not allow global write, delete, or read permissions. Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts.

Buckets Should Have Uniform Access

Ensure that cloud Storage buckets have uniform bucket-level access enabled

Storage Bucket Logs Should Not be Publicly Accessible

Ensure that cloud Storage bucket Logs are not Publicly Accessible by setting "publicAccessPrevention" to "enforced".

Buckets Should Be Encrypted Using Customer Managed Keys (CMKs)

Ensure that cloud Storage buckets are preferably encrypted using Customer Managed Keys (CMKs)

Buckets Should Not Allow All Users to Write

Ensure that cloud Storage buckets do not allow All Users to Write ("allUsers" must not have "WRITER" roles)

Buckets Should Not Allow All Authenticated Users to Write

Ensure that cloud Storage buckets do not allow All Authenticated Users to Write ("allAuthenticatedUsers" must not have "WRITER" roles)

Buckets Should Not Allow Public Ownership

Ensure that cloud Storage buckets do not allow All Users to have Ownership ("allUsers" must not have "OWNER" roles)

Buckets Should Not Allow All Authenticated Users Ownership

Ensure that cloud Storage buckets do not allow All Authenticated Users Ownership ("allAuthenticatedUsers" must not have "OWNER" roles)

Buckets Should Not Allow All Users Reads

Ensure that cloud Storage buckets do not allow All Users to Read ("allUsers" must not have "READER" roles)

Buckets Should Not Allow All Authenticated User Reads

Ensure that cloud Storage buckets do not allow All Authenticated User Reads ("allAuthenticatedUsers" must not have "READER" roles)

Buckets Should Have DNS Compliant Names

Ensure that cloud Storage buckets following a DNS-compliant naming scheme, which avoid the use of a period i.e. "."

Storage Buckets Should Have A Retention Policy Defined

Storage Buckets should have a retention policy defined to add an extra layer of protection, for instance, to assist recovery in case of an accidental deletion.

Buckets Should Have Lifecycle Rules Configured

Buckets should have Lifecycle Rules Configured for smooth operation, like deletion of old non-concurrent objects.

List All Buckets which have Wite Configuration (Informational)

List all the buckets that have website configuration (this is an informational rule only)

Retention Policy Must Be Locked with a Specified Minimum Duration

Buckets must have a Retention Policy Configured along with a Retention Period, that is specified by the User (must be greater than 0)