Check for Sufficient Data Retention Period

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Check for Sufficient Data Retention Period conformity rule settings and note the retention period configured for the retention policy.

02 Sign in to Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

05 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets created for the selected project.

06 Click on the name of the storage bucket that you want to examine.

07 Select the Bucket Lock tab to view the retention policy and bucket lock configuration details available for selected bucket.

08 On the Bucket Lock panel, under Retention policy, check the Duration configuration attribute value. If Duration is set to None, follow this conformity rule to configure a retention policy for the selected bucket. If the Duration attribute value is different than the retention period identified at step no. 1, the objects stored inside the selected Google Cloud Storage bucket do not have a sufficient data retention period configured.

09 Repeat steps no. 6 – 9 for each storage bucket provisioned for the selected Google Cloud Platform (GCP) project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Check for Sufficient Data Retention Period conformity rule settings and note the retention period configured for the retention policy.

02 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

03 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-project-112233
cc-mobile-project-111222

04 Run gsutil ls command (using gsutil Python tool) to list the identifier of each storage bucket created for the specified GCP project:

gsutil ls -p cc-web-project-112233

05 The command output should return the requested storage resource name(s):

gs://cc-project5-log-bucket/
gs://cc-project5-webdata-bucket/

06 Run gsutil retention get command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as identifier parameter, to describe the retention policy defined for the selected bucket:

gsutil retention get gs://cc-project5-log-bucket

07 If the verified bucket does not have a retention policy configured, the command request should return the following output. If there is no retention policy already defined, follow this conformity rule to configure a retention policy for the selected bucket:

gs://cc-project5-log-bucket/ has no Retention Policy.

08 If the specified bucket does have a retention policy configured and the retention policy is unlocked, as shown in the example below, check the Duration configuration attribute value (i.e. number of days). If the Duration attribute value is different than the retention period identified at step no. 1, the objects stored inside the selected Google Cloud Storage bucket do not have a sufficient data retention period configured:

Retention Policy (UNLOCKED):
  Duration: 7 Day(s)
  Effective Time: Tue, 16 Jun 2020 15:30:00 GMT

09 Repeat steps no. 6 – 8 for each storage bucket available in the selected Google Cloud Platform (GCP) project.

10 Repeat step no. 1 – 8 for each GCP project created within your Google Cloud account.

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access all the buckets created for the selected GCP project.

05 Click on the name of the storage bucket that you want to reconfigure (see Audit section part I to identify the right bucket), then select the Bucket Lock tab.

06 On the Bucket Lock panel, click on the edit policy button available next to Duration configuration attribute, to edit the retention policy defined for the selected storage bucket.

07 Inside the Edit retention policy configuration box, under Duration, set how long the objects within the selected bucket must be retained. This duration must match the retention period defined in the conformity rule settings, available on your Trend Micro Cloud One™ – Conformity account dashboard. Click SAVE CHANGES to update the retention policy with the compliant retention period.

08 Repeat steps no. 5 – 7 to configure the data retention period for other Cloud Storage buckets created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

01 Run gsutil retention set command (using gsutil Python tool) with the name of the Google Cloud Storage bucket that you want to reconfigure as identifier parameter (see Audit section part II to identify the appropriate bucket), to set the optimal retention period for the selected bucket. The value must match the retention period defined in the conformity rule settings, available on your Trend Micro Cloud One™ – Conformity account dashboard. The following example sets the retention period to 1 year:

gsutil retention set 1y gs://cc-project5-log-bucket

02 If successful, the command output should return the gsutil retention set request status:

Setting Retention Policy on gs://cc-project5-log-bucket/...

03 Repeat steps no. 1 and 2 to configure the data retention period for other Cloud Storage buckets available in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project created within your Google Cloud account.