Check for Sufficient Data Retention Period

Risk Level: Medium (should be achieved)

Ensure that the objects stored within your Google Cloud Storage buckets have a sufficient data retention period configured for security and compliance purposes. A retention period indicates the amount of time the objects in the bucket must be retained. The retention period can be configured by editing the bucket retention policy. A retention policy prevents the deletion or modification of the bucket's objects for the specified duration of time. Prior to running this conformity rule, the retention period must be defined in the rule settings, on the Trend Cloud One™ – Conformity account console. You can set a maximum retention period of 3155760000 seconds (i.e. 100 years).

Reliability

Having an optimal data retention period set for Google Cloud Storage objects will enforce your data recovery strategy to follow the best practices as specified in the compliance regulations implemented within your organization. For example, retaining object data for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure. Once the retention period is configured, any attempts to delete or overwrite objects whose age is less than the specified retention period will fail and return a 403 (retentionPolicyNotMet) error.

Note: The retention policy associated with your bucket must be unlocked (i.e. the policy can be edited or removed).

Audit

To determine if your Google Cloud Storage objects have a sufficient data retention period configured, perform the following actions:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Sufficient Data Retention Period conformity rule settings and note the retention period configured for the retention policy.

02 Sign in to Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

05 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets created for the selected project.

06 Click on the name of the storage bucket that you want to examine.

07 Select the Bucket Lock tab to view the retention policy and bucket lock configuration details available for selected bucket.

08 On the Bucket Lock panel, under Retention policy, check the Duration configuration attribute value. If Duration is set to None, follow this conformity rule to configure a retention policy for the selected bucket. If the Duration attribute value is different than the retention period identified at step no. 1, the objects stored inside the selected Google Cloud Storage bucket do not have a sufficient data retention period configured.

09 Repeat steps no. 6 – 9 for each storage bucket provisioned for the selected Google Cloud Platform (GCP) project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

02 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

03 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-project-112233
cc-mobile-project-111222

04 Run gsutil ls command (using gsutil Python tool) to list the identifier of each storage bucket created for the specified GCP project:

gsutil ls -p cc-web-project-112233

05 The command output should return the requested storage resource name(s):

gs://cc-project5-log-bucket/
gs://cc-project5-webdata-bucket/

06 Run gsutil retention get command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as identifier parameter, to describe the retention policy defined for the selected bucket:

gsutil retention get gs://cc-project5-log-bucket

07 If the verified bucket does not have a retention policy configured, the command request should return the following output. If there is no retention policy already defined, follow this conformity rule to configure a retention policy for the selected bucket:

gs://cc-project5-log-bucket/ has no Retention Policy.

08 If the specified bucket does have a retention policy configured and the retention policy is unlocked, as shown in the example below, check the Duration configuration attribute value (i.e. number of days). If the Duration attribute value is different than the retention period identified at step no. 1, the objects stored inside the selected Google Cloud Storage bucket do not have a sufficient data retention period configured:


Retention Policy (UNLOCKED):
  Duration: 7 Day(s)
  Effective Time: Tue, 16 Jun 2020 15:30:00 GMT

09 Repeat steps no. 6 – 8 for each storage bucket available in the selected Google Cloud Platform (GCP) project.

10 Repeat step no. 1 – 8 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To configure the optimal data retention period for your Google Cloud Storage objects, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access all the buckets created for the selected GCP project.

05 Click on the name of the storage bucket that you want to reconfigure (see Audit section part I to identify the right bucket), then select the Bucket Lock tab.

06 On the Bucket Lock panel, click on the edit policy button available next to Duration configuration attribute, to edit the retention policy defined for the selected storage bucket.

07 Inside the Edit retention policy configuration box, under Duration, set how long the objects within the selected bucket must be retained. This duration must match the retention period defined in the conformity rule settings, available on your Trend Cloud One™ – Conformity account dashboard. Click SAVE CHANGES to update the retention policy with the compliant retention period.

08 Repeat steps no. 5 – 7 to configure the data retention period for other Cloud Storage buckets created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run gsutil retention set command (using gsutil Python tool) with the name of the Google Cloud Storage bucket that you want to reconfigure as identifier parameter (see Audit section part II to identify the appropriate bucket), to set the optimal retention period for the selected bucket. The value must match the retention period defined in the conformity rule settings, available on your Trend Cloud One™ – Conformity account dashboard. The following example sets the retention period to 1 year:

gsutil retention set 1y gs://cc-project5-log-bucket

02 If successful, the command output should return the gsutil retention set request status:

Setting Retention Policy on gs://cc-project5-log-bucket/...

03 Repeat steps no. 1 and 2 to configure the data retention period for other Cloud Storage buckets available in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project created within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Retention policies and retention policy locks
Using and locking retention policies

GCP Command Line Interface (CLI) Documentation
gcloud projects list

GSutil Documentation
gsutil tool
ls - List providers, buckets, or objects
retention - Provides utilities to interact with Retention Policy feature.

Publication date Apr 21, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudStorage rules