Stay organized with collections
Save and categorize content based on your preferences.
This page describes the preventative and detective policies that are included in
the v1.0 version of the predefined posture for Cloud Storage, extended. This posture
includes two policy sets:
A policy set that includes organization policies that apply to
Cloud Storage.
A policy set that includes Security Health Analytics detectors that apply to
Cloud Storage.
You can use this predefined posture to configure a security posture that helps
protect Cloud Storage. If you want to deploy this predefined posture, you
must customize some of the policies so that they apply to your environment.
Organization policy constraints
The following table describes the organization policies that are included in
this posture.
Policy
Description
Compliance standard
storage.publicAccessPrevention
This policy prevents
Cloud Storage buckets from being open to unauthenticated public
access.
The value is true to prevent public access to
buckets.
NIST SP 800-53 control: AC-3, AC-17, and AC-20
storage.uniformBucketLevelAccess
This policy
prevents Cloud Storage buckets from using per-object ACL (a separate system
from IAM policies) to provide access, enforcing consistency for
access management and auditing.
This constraint defines the duration (in seconds) for the retention policy for buckets.
You must configure this value when you adopt this predefined posture.
NIST SP 800-53 control: SI-12
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in
the predefined posture. For more information about these detectors, see
Vulnerability findings.
Detector name
Description
BUCKET_LOGGING_DISABLED
This detector checks whether there is a storage bucket without logging enabled.
LOCKED_RETENTION_POLICY_NOT_SET
This detector checks whether the locked retention policy is set for logs.
OBJECT_VERSIONING_DISABLED
This detector checks whether object versioning is enabled on storage buckets with sinks.
BUCKET_CMEK_DISABLED
This detector checks whether buckets are encrypted using customer-managed encryption keys (CMEK).
BUCKET_POLICY_ONLY_DISABLED
This detector checks whether uniform bucket-level access is configured.
PUBLIC_BUCKET_ACL
This detector checks whether a bucket is publicly accessible.
PUBLIC_LOG_BUCKET
This detector checks whether a bucket with a log sink is publicly accessible.
ORG_POLICY_LOCATION_RESTRICTION
This detector checks whether a Compute Engine resource is out of compliance with the constraints/gcp.resourceLocations constraint.
View the posture template
To view the posture template for Cloud Storage, extended, do the following:
gcloud
Before using any of the command data below,
make the following replacements:
ORGANIZATION_ID: the numeric ID of the organization
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Predefined posture for Cloud Storage, extended\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nThis page describes the preventative and detective policies that are included in\nthe v1.0 version of the predefined posture for Cloud Storage, extended. This posture\nincludes two policy sets:\n\n- A policy set that includes organization policies that apply to\n Cloud Storage.\n\n- A policy set that includes Security Health Analytics detectors that apply to\n Cloud Storage.\n\nYou can use this predefined posture to configure a security posture that helps\nprotect Cloud Storage. If you want to deploy this predefined posture, you\nmust customize some of the policies so that they apply to your environment.\n\nOrganization policy constraints\n-------------------------------\n\nThe following table describes the organization policies that are included in\nthis posture.\n\nSecurity Health Analytics detectors\n-----------------------------------\n\nThe following table describes the Security Health Analytics detectors that are included in\nthe predefined posture. For more information about these detectors, see\n[Vulnerability findings](/security-command-center/docs/concepts-vulnerabilities-findings).\n\nView the posture template\n-------------------------\n\n\nTo view the posture template for Cloud Storage, extended, do the following: \n\n### gcloud\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nExecute the\n\n\n[`gcloud scc posture-templates\ndescribe`](/sdk/gcloud/reference/scc/posture-templates/describe)\n\n\ncommand:\n\n#### Linux, macOS, or Cloud Shell\n\n```bash\ngcloud scc posture-templates describe \\\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended\n```\n\n#### Windows (PowerShell)\n\n```bash\ngcloud scc posture-templates describe `\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended\n```\n\n#### Windows (cmd.exe)\n\n```bash\ngcloud scc posture-templates describe ^\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended\n```\n\nThe response contains the posture template.\n\n### REST\n\n\nBefore using any of the request data,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nHTTP method and URL:\n\n```\nGET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended\n```\n\nTo send your request, expand one of these options:\n\n#### curl (Linux, macOS, or Cloud Shell)\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) , or by using [Cloud Shell](/shell/docs), which automatically logs you into the `gcloud` CLI . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\ncurl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended\"\n```\n\n#### PowerShell (Windows)\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\n$cred = gcloud auth print-access-token\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\nInvoke-WebRequest `\n -Method GET `\n -Headers $headers `\n -Uri \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cloud_storage_extended\" | Select-Object -Expand Content\n```\n\nThe response contains the posture template.\n\nWhat's next\n-----------\n\n- [Create a security posture using this predefined posture](/security-command-center/docs/how-to-use-security-posture)."]]
