Cloud Storage Security/Compliance Requirements

Requirement

Description

Risk

CMEKs

Utilize customer-managed encryption keys. Ensure that your storage data is encrypted at rest using Customer-Managed Keys (CMEKs) to have full control over your data encryption/decryption process.

High

Object versioning

Ensure that buckets can be recovered from both unintended user actions and application failures, as the feature allows you to preserve, retrieve, and restore versions of objects. This acts as an extra layer of data protection and can be used for retention scenarios such as recovering objects that have been accidentally or intentionally deleted, or overwritten by Cloud IAM users or cloud applications

Medium

Uniform bucket-level access

Ensure that uniform bucket-level access is enabled for all your Google Cloud Storage buckets. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket

Medium

Retention

Ensure that the objects stored within your buckets have a sufficient data retention period configured for security and compliance purposes.

Medium

Not publicly accessible buckets

Ensure that the IAM policy attached to your bucket restricts public or anonymous access. To deny access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from the storage bucket's IAM policy. The "allUsers" is a special member identifier that represents any user on the Internet, including authenticated and unauthenticated users, while the "allAuthenticatedUsers" is an identifier that represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

High