This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket and object behaviors across an entire project or organization. Organization policy constraints can either be boolean constraints or list constraints.
Note that enforcing or disabling any constraints might take up to 10 minutes to go into effect.
Cloud Storage constraintsThe following constraints can be applied to an organization policy and relate to Cloud Storage:
Enforce public access preventionConstraint Name: constraints/storage.publicAccessPrevention Constraint Type: boolean
When you apply the publicAccessPrevention constraint on a resource, public access is restricted for all buckets and objects, both new and existing, under that resource.
Constraint Name: constraints/storage.softDeletePolicySeconds Constraint Type: list
When you apply the softDeletePolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, the bucket soft delete policy must include one of the specified durations. softDeletePolicySeconds is required when creating a new bucket and when adding or updating the soft delete retention duration (softDeletePolicy.retentionDuration) of a pre-existing bucket; however, it does not otherwise affect pre-existing buckets.
If you set multiple softDeletePolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.
Constraint Name: constraints/storage.retentionPolicySeconds Constraint Type: list
When you apply the retentionPolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, bucket retention policies must include one of the specified durations. retentionPolicySeconds is required when creating a new bucket and when adding or updating the retention period of a pre-existing bucket; however, it's not otherwise required on pre-existing buckets.
If you set multiple retentionPolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.
Constraint Name: constraints/storage.uniformBucketLevelAccess Constraint Type: boolean
When you apply the uniformBucketLevelAccess constraint, new buckets must enable the uniform bucket-level access feature, and pre-existing buckets with this feature enabled cannot disable it. Pre-existing buckets with uniform bucket-level access disabled are not required to enable it.
uniformBucketLevelAccess constraint enabled by default. To find out whether your organization has the uniformBucketLevelAccess constraint enabled or disabled, contact your organization administrator. Detailed audit logging mode
Constraint Name: constraints/gcp.detailedAuditLoggingMode Constraint Type: boolean
When you apply the detailedAuditLoggingMode constraint, Cloud Audit Logs logs associated with Cloud Storage operations contain detailed request and response information. This constraint is recommended to be used in conjunction with Bucket Lock and Object Retention Lock when seeking various compliances such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c).
Logged information includes query parameters, path parameters, and request body parameters. Logs exclude certain parts of requests and responses that are associated with sensitive information. For example, logs exclude:
Authorization, X-Goog-Signature, or upload-id.x-goog-encryption-key.When using this constraint, note the following:
detailedAuditLoggingMode increases the amount of data stored in audit logs, which could affect your Cloud Logging charges for Data Access logs.Constraint Name: constraints/storage.restrictAuthTypes Constraint Type: list
When you apply the restrictAuthTypes constraint, requests to access Cloud Storage resources using the restricted authentication type fail, regardless of the validity of the request. You can use the restrictAuthTypes constraint to restrict HMAC keys to meet regulatory requirements or increase the security of your data.
The list constraint explicitly denies specific authentication types while permitting all others. To do so, you must list the restricted authentication types in the deniedValues key within the rules of the restrictAuthTypes constraint. An error occurs if you try to list the restricted authentication types in the allowedValues key.
You can restrict the following authentication types:
SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS: Restricts requests signed by service account HMAC keys.
USER_ACCOUNT_HMAC_SIGNED_REQUESTS: Restricts requests signed by user account HMAC keys.
RSA_SIGNED_REQUESTS: Restricts requests signed by RSA keys.
in:ALL_HMAC_SIGNED_REQUESTS: Restrict requests signed by any HMAC key. If you need to meet data sovereignty requirements, it's recommended that you restrict all HMAC signed requests.
in:ALL_SIGNED_REQUESTS: Restrict requests signed by any HMAC or RSA key.
When you enable this constraint, the following occurs:
Cloud Storage restricts access for requests that are authenticated with the restricted authentication type. Requests fail with the error 403 Forbidden.
Entities that were previously authorized to perform the request receive an error message explaining that the authentication type is disabled.
If HMAC keys are restricted:
HMAC keys of the restricted type can no longer be created or activated in the resource that the constraint is enforced upon. Requests to create or activate HMAC keys fail with the error 403 Forbidden.
Existing HMAC keys remain but are no longer usable. They can be deactivated or deleted, but cannot be reactivated.
When using the restrictAuthTypes constraint, be aware of existing resources that depend on HMAC authentication. For example, if you migrated from Amazon Simple Storage Service (Amazon S3), your application likely uses HMAC keys to authenticate requests to Cloud Storage. You can use the Cloud Monitoring metric storage.googleapis.com/authn/authentication_count to track the number of times HMAC keys have been used to authenticate requests.
Constraint Name: constraints/storage.secureHttpTransport Constraint Type: boolean
When you apply the secureHttpTransport constraint, all unencrypted HTTP access to Cloud Storage resources is denied.
CNAME redirects only support unencrypted HTTP access.The following organization policy constraints apply more generally throughout Google Cloud, but are often applied to the Cloud Storage service:
constraints/gcp.restrictNonCmekServices: Require new and rewritten objects to be encrypted using customer-managed encryption keys, and require new buckets to set a Cloud KMS key as the default encryption key.
constraints/gcp.restrictCmekCryptoKeyProjects: Reject requests to Cloud Storage if the request includes a customer-managed encryption key and the key does not belong to a project specified by the constraint. Similarly, reject requests that create or rewrite an object if the object would be encrypted by the bucket's default encryption key and that key does not belong to a project specified by the constraint.
constraints/gcp.restrictTLSVersion: Prevent access to Cloud Storage by requests made using Transport Layer Security (TLS) 1.0 or 1.1.
Tags provides a way to conditionally allow or deny organization policies based on whether a Cloud Storage bucket has a specific tag. See setting an organization policy with tags for detailed instructions.
What's nextprojects.setOrgPolicy.RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5