Control: Ensure that retention policies on log buckets are configured using Bucket Lock
Description
Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.logging_bucket_retention_policy_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.logging_bucket_retention_policy_enabled --shareSQL
This control uses a named query:
with logging_sinks as ( select self_link, title, _ctx, project, destination from gcp_logging_sink)select s.self_link resource, case when b.retention_policy is not null and b.retention_policy ->> 'isLocked' = 'true' then 'ok' else 'alarm' end as status, case when b.retention_policy is not null and b.retention_policy ->> 'isLocked' = 'true' then s.title || '''s logging bucket ' || b.name || ' has retention policies configured.' else s.title || '''s logging bucket ' || b.name || ' has retention policies not configured.' end as reason , s.project as projectfrom gcp_storage_bucket b join logging_sinks s on ( split_part(s.destination, '/', 1) = 'storage.googleapis.com' and split_part(s.destination, '/', 2) = b.name);