GCP Storage
Analyzes Google Cloud Storage buckets and Cloud KMS encryption keys. Identifies versioning gaps, public access risks, missing retention policies, and ensures encryption key rotation is enforced.
Required Blueprints: GCP
Sightlines
| Sightline | Description |
|---|---|
| Cloud Storage Buckets | Provides visibility into GCS bucket security posture including versioning status and public access prevention. |
| Cloud KMS Keys | Focuses on Cloud KMS key lifecycle management and automatic rotation configuration. |
Explorer Node Types
Use these node types in Explorer or KAI to query resources surfaced by this analyzer:
gcp.storage.Bucket, gcp.storage.ACLRule, gcp.storage.BucketEncryption, gcp.storage.BucketLogging, gcp.storage.RetentionPolicy, gcp.kms.CryptoKey
Related Analyzers
- GCP IAM — IAM policies controlling bucket access
- GCP Network — Bucket access endpoint configurations
Insight Feed Alerts
- GCS Bucket Without Versioning -- Buckets without object versioning, risking permanent data loss.
- GCS Bucket Without Public Access Prevention -- Buckets relying on inherited rather than bucket-level public access prevention.
- KMS Key Without Rotation -- CryptoKeys without automatic rotation (CIS GCP 1.10).
- GCS Bucket Without Retention Policy -- Buckets without retention policies, vulnerable to accidental or malicious deletion.
- GCS Bucket Without Uniform Bucket-Level Access -- Buckets using fine-grained ACLs instead of uniform IAM access (CIS GCP 5.2).
- GCS Bucket Without Access Logging -- Buckets without access logging for audit trails (NIST AU-2).
- GCS Bucket Without Customer-Managed Encryption Keys -- Buckets using Google-managed keys instead of CMEK (CIS GCP 5.3).
- GCS Bucket With Public ACL Rules -- Buckets granting access to allUsers or allAuthenticatedUsers (CIS GCP 5.1).