Control: Ensure that Cloud Storage buckets used for exporting logs have object versioning enabled

Description

It is recommended that logging Cloud Storage buckets should have object versioning enabled.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.storage_bucket_log_object_versioning_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.storage_bucket_log_object_versioning_enabled --share

SQL

This control uses a named query:

with log_sink_buckets as (
  select
    split_part(destination, '/', 2) as bucket_name,
    project
  from
    gcp_logging_sink
  where
    destination like 'storage.googleapis.com/%'
)
select
  b.self_link resource,
  case
    when s.bucket_name is null then 'skip'
    when b.versioning_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when s.bucket_name is null then title || ' does not export logs.'
    when b.versioning_enabled then title || ' has object versioning enabled.'
    else title || ' has object versioning disabled.'
  end as reason
  
  , b.location as location, b.project as project
from
  gcp_storage_bucket as b
  left join log_sink_buckets as s on s.bucket_name = b.name and b.project = s.project;

Control: Ensure that Cloud Storage buckets used for exporting logs have object versioning enabled

Description

Usage

SQL

Tags