Configure Retention Policies with Bucket Lock

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Logging console at https://console.cloud.google.com/logs.

04 In the left navigation panel, select Log Router to access all the log sinks created for the selected GCP project.

05 Select the log sink that you want to examine, click on the 3-dot button to open the sink options menu, and select View sink details.

06 In the Sink details information box, copy the name of the destination bucket listed next to Destination. The name of the bucket is listed just after the Cloud Storage service subdomain, i.e. storage.googleapis.com/[bucket-name]. If the log destination identifier, listed next to Destination, does not have the following format: storage.googleapis.com/[bucket-name], the selected logs sink is not using a Google Cloud Storage bucket as logs destination.

07 Navigate to Google Cloud Storage console at https://console.cloud.google.com/storage.

08 In the left navigation panel, select Buckets to access all the buckets created for the selected GCP project.

09 Click inside the Filter buckets box, select Name contains, paste the name of the bucket copied at step no. 6, and press Enter to return the Cloud Storage bucket used as destination by the selected logs sink.

10 Click on the name of the associated bucket, select the PROTECTION tab, and check the value of the Retention period configuration attribute, listed in the Retention policy (for compliance) section. If the Retention period attribute is not listed, the selected logs sink destination bucket does not have a retention policy configured. If the Retention period attribute has a value but the retention policy is unlocked, i.e. the Retention mode attribute is set to Unlocked, the bucket's retention policy is not using the Bucket Lock feature to prevent the policy from being modified or removed.

11 Repeat steps no. 5 – 10 for each logs sink that is using a Cloud Storage bucket as log destination.

12 Repeat steps no. 2 – 11 for each GCP project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-project5-123123
cc-web-prod-123456

03 Run logging sinks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the log storage destination for each logs sink created within the selected project:

gcloud logging sinks list
  --project=cc-project5-123123
  --format="json(name,destination)"

04 The command output should return the name and the storage destination of the selected logs sink. The name of the destination bucket is listed just after the Cloud Storage service subdomain, i.e. storage.googleapis.com/[bucket-name]. If the log destination identifier, returned as value for the "destination" attribute, does not have the following format: "storage.googleapis.com/[bucket-name]", the sink is not using a Cloud Storage bucket as log destination:

[
	{
		"name": "cc-project5-log-sink",
		"destination": "storage.googleapis.com/cc-project5-log-bucket"
	},
	{
		"name": "cc-data-access-log-sink",
		"destination": "storage.googleapis.com/cc-access-log-bucket"
	}
]

05 Run gsutil retention get command (using gsutil tool) using the name of the log storage destination bucket that you want to examine as the identifier parameter to describe the retention policy defined for the selected destination bucket:

gsutil retention get gs://cc-project5-log-bucket

06 If the verified logs sink destination bucket does not have a retention policy configured, the gsutil retention get command request should return the following output:

gs://cc-project5-log-bucket/ has no Retention Policy.

07 If the verified destination bucket does have a retention policy configured, but the retention policy is unlocked, the bucket's retention policy is not using the Bucket Lock feature to prevent the policy from being modified or removed. When the retention policy is UNLOCKED, the gsutil retention get command request should return an output like the following:

Retention Policy (UNLOCKED):
Duration: 30 Day(s)
Effective Time: Thu, 09 Nov 2023 15:58:07 GMT

08 Repeat steps no. 3 – 7 for each logs sink that is using a Cloud Storage bucket as log destination.

09 Repeat step no. 1 – 8 for each GCP project available within your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Storage console available at https://console.cloud.google.com/storage.

04 In the left navigation panel, select Buckets to access all the buckets created for the selected GCP project.

05 Click inside the Filter buckets box, select Name contains, paste the name of the Cloud Storage bucket used as destination by your logs sink, and press Enter.

06 Click on the name of the associated bucket, select the PROTECTION tab, and perform one of the following actions in the Retention policy (for compliance) section:

1. If the selected bucket does not have a retention policy configured, choose SET RETENTION POLICY, enter the desired length of time for the retention period in the Duration text box, select the unit of time, then choose SAVE to save the retention policy. Click on the LOCK button (padlock icon), confirm that you want to lock the policy by providing the bucket name, then choose LOCK POLICY to lock the newly created retention policy.
2. If the selected bucket does have a retention policy defined, click on the LOCK button (padlock icon), to lock the existing retention policy in order to prevent it from being modified or removed. In the confirmation box, confirm that you want to lock the policy by entering the bucket name, then choose LOCK POLICY to lock the retention policy.

07 Repeat step no. 6 for each logs sink destination bucket that you want to configure, created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

01 Run gsutil retention set command (using gsutil tool) with the name of the log storage destination bucket that you want to configure as the identifier parameter, to enable the bucket's retention policy and set the retention period. A retention period is the amount of time the objects in the bucket must be retained. The following example sets the retention period to 30 days:

gsutil retention set 30d gs://cc-project5-log-bucket

02 The command output should return the **gsutil retention set** request status:

Setting Retention Policy on gs://cc-project5-log-bucket/...

03 Run gsutil retention lock command (using gsutil Python tool) to lock the retention policy enabled at the previous steps in order to prevent it from being modified or removed:

gsutil retention lock gs://cc-project5-log-bucket

04 Type Y to confirm locking the retention policy for the specified bucket:

This will PERMANENTLY set the Retention Policy on gs://cc-project5-log-bucket to:
	Retention Policy (UNLOCKED):
	Duration: 30 Day(s)
	Effective Time: Thu, 09 Nov 2023 16:19:14 GMT
This setting cannot be reverted!  Continue? [y|N]: Y

05 The command output should return the gsutil retention lock request status:

Locking Retention Policy on gs://cc-project5-log-bucket/...

06 Repeat steps no. 1 - 5 for each logs sink destination bucket that you want to configure, created for the selected GCP project.

07 Repeat steps no. 1 – 6 for each GCP project available within your Google Cloud account.