GCP Storage Log Buckets Have Object Versioning Disabled

This policy identifies Storage log buckets which have object versioning disabled. Enabling object versioning on storage log buckets will protect your cloud storage data from being overwritten or accidentally deleted. It is recommended to enable object versioning feature on all storage buckets where sinks are configured.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

GCP Storage log buckets have object versioning disabled.
JSON Query:
$.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.versioning anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyFalse)
Recommended solution to enable object versioning for GCP Storage log buckets.
Ensure that GCP Storage buckets are not publicly accessible to all authenticated users. Please make sure that in the template, "versioning" has "enabled" set to "true".
For example:
"google_storage_bucket": [ { "<storage_bucket>": [ { "name": "a-bucket", "versioning": [ { "enabled": true } ] } ] } ]

Run Rule Recommendation

Presently Object versioning can be enabled on storage log buckets using command line interface only.
  1. To list all sinks destined to storage buckets:.
    gcloud logging sinks list | grep storage.googleapis.com
  2. For every storage bucket listed above, verify that object versioning is Enabled:.
    gsutil versioning get gs://<Bucket>
    Output for command should return Enabled
  3. To enable object versioning on storage log bucket:.
    gsutil versioning set on gs://<Bucket>
Remediation CLI Command:
gsutil versioning set on gs://${resourceName}
CLI Command Description:
This CLI command requires 'storage.admin' permission. Successful execution will enable GCP Storage log buckets 'versioning'.


There are 3 standards that are applicable to this policy:
  • CIS v1.0.0 (GCP)
  • ISO 27001:2013
  • MITRE ATT&CK [Beta]

Recommended For You