Organization policy constraints for Cloud Storage

This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket and object behaviors across an entire project or organization. Organization policy constraints can either be boolean constraints or list constraints.

Cloud Storage constraints

The following constraints can be applied to an organization policy and relate to Cloud Storage:

Enforce public access prevention

Constraint Name: constraints/storage.publicAccessPrevention Constraint Type: boolean

When you apply the publicAccessPrevention constraint on a resource, public access is restricted for all buckets and objects, both new and existing, under that resource.

Note that enabling or disabling publicAccessPrevention may take up to 10 minutes to go into effect.

Soft delete retention duration

Constraint Name: constraints/storage.softDeletePolicySeconds Constraint Type: list

When you apply the softDeletePolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, the bucket soft delete policy must include one of the specified durations. softDeletePolicySeconds is required when creating new bucket and when adding or updating the soft delete retention duration (softDeletePolicy.retentionDuration) of a pre-existing bucket; however, it does not otherwise affect pre-existing buckets.

If you set multiple softDeletePolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

Bucket retention policy duration in seconds

Constraint Name: constraints/storage.retentionPolicySeconds Constraint Type: list

When you apply the retentionPolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, bucket retention policies must include one of the specified durations. retentionPolicySeconds is required when creating new buckets and when adding or updating the retention period of a pre-existing bucket; however, it's not otherwise required on pre-existing buckets.

If you set multiple retentionPolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

Require uniform bucket-level access

Constraint Name: constraints/storage.uniformBucketLevelAccess Constraint Type: boolean

When you apply the uniformBucketLevelAccess constraint, new buckets must enable the uniform bucket-level access feature, and pre-existing buckets with this feature enabled cannot disable it. Pre-existing buckets with uniform bucket-level access disabled are not required to enable it.

Detailed audit logging mode

Constraint Name: constraints/gcp.detailedAuditLoggingMode Constraint Type: boolean

When you apply the detailedAuditLoggingMode constraint, Cloud Audit Logs logs associated with Cloud Storage operations contain detailed request and response information. This constraint is recommended to be used in conjunction with Bucket Lock and Object Retention Lock when seeking various compliances such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c).

Logged information includes query parameters, path parameters, and request body parameters. Logs exclude certain parts of requests and responses that are associated with sensitive information. For example, logs exclude:

  • Credentials, such as Authorization, X-Goog-Signature, or upload-id.
  • Encryption key information, such as x-goog-encryption-key.
  • Raw object data.

When using this constraint, note the following:

  • Detailed request and response information is not guaranteed; in rare cases, empty logs might be returned.
  • Enabling detailedAuditLoggingMode increases the amount of data stored in audit logs, which could affect your Cloud Logging charges for Data Access logs.

  • Enabling or disabling detailedAuditLoggingMode takes up to 10 minutes to go into effect.

  • Logged requests and responses are recorded in a generic format that matches the field names of the JSON API.

Restrict authentication types

Constraint Name: constraints/storage.restrictAuthTypes Constraint Type: list

When you apply the restrictAuthTypes constraint, requests to access Cloud Storage resources using the restricted authentication type fail, regardless of the validity of the request. You can use the restrictAuthTypes constraint to restrict HMAC keys to meet regulatory requirements or increase the security of your data.

The list constraint explicitly denies specific authentication types while permitting all others. To do so, you must list the restricted authentication types in the deniedValues key within the rules of the restrictAuthTypes constraint. An error occurs if you try to list the restricted authentication types in the allowedValues key.

You can restrict the following authentication types:

  • SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS: Restricts requests signed by service account HMAC keys.

  • USER_ACCOUNT_HMAC_SIGNED_REQUESTS: Restricts requests signed by user account HMAC keys.

  • in:ALL_HMAC_SIGNED_REQUESTS: Restrict requests signed by any HMAC key. If you need to meet data sovereignty requirements, it's recommended that you restrict all HMAC signed requests.

When you enable this constraint, the following occurs:

  • Cloud Storage restricts access for requests that are authenticated with the restricted authentication type. Requests fail with the error 403 Forbidden.

  • Entities that were previously authorized to perform the request receive an error message explaining that the authentication type is disabled.

  • If HMAC keys are restricted:

    • HMAC keys of the restricted type can no longer be created or activated in the resource that the constraint is enforced upon. Requests to create or activate HMAC keys fail with the error 403 Forbidden.

    • Existing HMAC keys remain but are no longer usable. They can be deactivated or deleted, but cannot be reactivated.

When using the restrictAuthTypes constraint, be aware of existing resources that depend on HMAC authentication. For example, if you migrated from Amazon Simple Storage Service (Amazon S3), your application likely uses HMAC keys to authenticate requests to Cloud Storage. You can use the Cloud Monitoring metric storage.googleapis.com/authn/authentication_count to track the number of times HMAC keys have been used to authenticate requests.

Restrict unencrypted HTTP requests

Constraint Name: constraints/storage.secureHttpTransport Constraint Type: boolean

When you apply the secureHttpTransport constraint, all unencrypted HTTP access to Cloud Storage resources is denied.

Additional constraints

The following organization policy constraints apply more generally throughout Google Cloud, but are often applied to the Cloud Storage service:

Conditionally allow or deny organization policy constraints

Tags provides a way to conditionally allow or deny organization policies based on whether a Cloud Storage bucket has a specific tag. See setting an organization policy with tags for detailed instructions.

What's next