More Info:

Buckets must have a Retention Policy Configured along with a Retention Period, that is specified by the User (must be greater than 0)

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the retention policy misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP console and navigate to the Cloud Storage section.
  2. Click on the bucket that you want to remediate.
  3. Click on the “Edit Bucket” button at the top of the page.
  4. Scroll down to the “Retention Policy” section.
  5. Click on the “Add Retention Policy” button.
  6. Set the “Minimum retention period” to the desired duration.
  7. Check the “Locked” checkbox to prevent any changes to the retention policy.
  8. Click on the “Save” button to apply the changes.
  9. Verify that the retention policy has been successfully applied by checking the “Retention Policy” section.
By following these steps, the retention policy misconfiguration will be remediated for the selected GCP bucket.

To remediate the retention policy misconfiguration for GCP using GCP CLI, follow these steps:
  1. Open the GCP console and go to the Cloud Storage section.
  2. Identify the bucket that has the misconfigured retention policy.
  3. Open the Cloud Shell from the top right corner of the GCP console.
  4. Run the following command to set the retention policy for the identified bucket: 
    gsutil retention set <duration> gs://<bucket-name>
    Replace <duration> with the minimum duration for which the retention policy must be locked, and <bucket-name> with the name of the bucket that needs to be remediated.
  5. Verify that the retention policy has been set correctly by running the following command: 
    gsutil retention get gs://<bucket-name>
    This command should return the minimum duration for which the retention policy has been set.
  6. If required, repeat the above steps for any other buckets that have the same misconfiguration.
By following these steps, you can remediate the retention policy misconfiguration for GCP using GCP CLI.
To remediate the retention policy misconfiguration for GCP using Python, follow these steps:
  1. Import the necessary libraries:
from google.cloud import logging_v2
from google.protobuf.duration_pb2 import Duration
  1. Set the project ID and log name:
project_id = "<your-project-id>"
log_name = "<your-log-name>"
  1. Create a Logging client:
logging_client = logging_v2.LoggingServiceV2Client()
  1. Get the current retention policy for the log:
log_path = logging_client.log_path(project_id, log_name)
log = logging_client.get_log(log_path)
  1. Set the minimum retention duration:
min_duration = Duration(seconds=604800) # 1 week
  1. Check if the current retention duration is less than the minimum duration:
if log.retention_days < min_duration.seconds // 86400:
    # Update the retention policy
    retention_policy = logging_v2.types.RetentionPolicy(
        retention_days=min_duration.seconds // 86400
    )
    update_mask = logging_v2.types.UpdateLogMetricRequest.UpdateMask(
        paths=["retention_days"]
    )
    logging_client.update_log(log_path, retention_policy, update_mask)
  1. If the retention duration is already greater than or equal to the minimum duration, no action is needed.
else:
    print("Retention duration is already greater than or equal to the minimum duration.")
This code will check the current retention policy for the specified log, and update it if necessary to ensure that the retention policy is locked with a specified minimum duration of 1 week (604800 seconds).