Cloud Storage bucket has lifecycle management enabled with at least one valid rule
cloudstorage_bucket_lifecycle_management_enabled
Cloud Storage buckets use Object Lifecycle Management with at least one valid rule (supported action and non-empty condition) to automatically transition storage class or delete objects.
Risk
Without lifecycle rules, data and object versions persist indefinitely, expanding the attack surface and hindering mandated erasure. Stale data amplifies exfiltration impact (confidentiality) and complicates integrity controls, while also driving avoidable cost and retention noncompliance.
prowler gcp --checks cloudstorage_bucket_lifecycle_management_enabled
Recommendation
Define lifecycle policies by data classification to enforce least data retention. Use Delete for TTL/age and SetStorageClass for archival, with version-aware conditions like isLive=false or numNewerVersions. Test on a limited dataset, review regularly, and align with defense in depth.
Remediation
gcloud storage buckets update gs://<BUCKET_NAME> --lifecycle-file=<PATH_TO_JSON>
- In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>
- Click the Lifecycle tab
- Click Add a rule
- Action: Delete
- Condition: Age = 1 day
- Click Create/Save
Source Code
Resource Type
storage.googleapis.com/Bucket
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-lifecycle-management.html
- https://docs.cloud.google.com/storage/docs/managing-lifecycles
- https://docs.cloud.google.com/storage/docs/lifecycle
- https://docs.cloud.google.com/storage/docs/samples/storage-enable-bucket-lifecycle-management