Retention Policy Must Be Locked with a Specified Minimum Duration

More Info:

Buckets must have a Retention Policy Configured along with a Retention Period, that is specified by the User (must be greater than 0)

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the retention policy misconfiguration for GCP using GCP CLI, follow these steps:

Open the GCP console and go to the Cloud Storage section.
Identify the bucket that has the misconfigured retention policy.
Open the Cloud Shell from the top right corner of the GCP console.
Run the following command to set the retention policy for the identified bucket:
```
gsutil retention set <duration> gs://<bucket-name>
```
Replace <duration> with the minimum duration for which the retention policy must be locked, and <bucket-name> with the name of the bucket that needs to be remediated.
Verify that the retention policy has been set correctly by running the following command:
```
gsutil retention get gs://<bucket-name>
```
This command should return the minimum duration for which the retention policy has been set.
If required, repeat the above steps for any other buckets that have the same misconfiguration.

By following these steps, you can remediate the retention policy misconfiguration for GCP using GCP CLI.

Using Python

To remediate the retention policy misconfiguration for GCP using Python, follow these steps:

Import the necessary libraries:

from google.cloud import logging_v2
from google.protobuf.duration_pb2 import Duration

Set the project ID and log name:

project_id = "<your-project-id>"
log_name = "<your-log-name>"

Create a Logging client:

logging_client = logging_v2.LoggingServiceV2Client()

Get the current retention policy for the log:

log_path = logging_client.log_path(project_id, log_name)
log = logging_client.get_log(log_path)

Set the minimum retention duration:

min_duration = Duration(seconds=604800) # 1 week

Check if the current retention duration is less than the minimum duration:

if log.retention_days < min_duration.seconds // 86400:
    # Update the retention policy
    retention_policy = logging_v2.types.RetentionPolicy(
        retention_days=min_duration.seconds // 86400
    )
    update_mask = logging_v2.types.UpdateLogMetricRequest.UpdateMask(
        paths=["retention_days"]
    )
    logging_client.update_log(log_path, retention_policy, update_mask)

If the retention duration is already greater than or equal to the minimum duration, no action is needed.

else:
    print("Retention duration is already greater than or equal to the minimum duration.")

This code will check the current retention policy for the specified log, and update it if necessary to ensure that the retention policy is locked with a specified minimum duration of 1 week (604800 seconds).

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Retention Policy Must Be Locked with a Specified Minimum Duration

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation