This page provides supplemental information aboutorganization policyconstraints that apply to Cloud Storage. Use constraintsto enforce bucket and object behaviors across an entire project or organization.Organization policy constraints can either beboolean constraints orlist constraints.

Note that enforcing or disabling any constraints might take up to 10 minutes togo into effect.

Cloud Storage constraints

The following constraints can be applied to an organization policy and relateto Cloud Storage:

Enforce public access prevention

Constraint Name:constraints/storage.publicAccessPreventionConstraint Type:boolean

When you apply thepublicAccessPrevention constraint on a resource,public access is restricted for all buckets and objects, both new andexisting, under that resource.

Soft delete retention duration

Constraint Name:constraints/storage.softDeletePolicySecondsConstraint Type:list

When you apply thesoftDeletePolicySeconds constraint, you specify one or moredurations as part of the constraint. Once set, the bucketsoft delete policy must include one of the specified durations.softDeletePolicySeconds is required when creating a new bucket and when addingor updating the soft delete retention duration(softDeletePolicy.retentionDuration) of a pre-existing bucket; however,it does not otherwise affect pre-existing buckets.

If you set multiplesoftDeletePolicySeconds constraints at different resourcelevels, they areenforced hierarchically. For this reason, it's recommendedthat you set theinheritFromParent field totrue, which ensures thatpolicies at higher layers are also considered.

Bucket retention policy duration in seconds

Constraint Name:constraints/storage.retentionPolicySecondsConstraint Type:list

When you apply theretentionPolicySeconds constraint, you specify one or moredurations as part of the constraint. Once set, bucketretention policiesmust include one of the specified durations.retentionPolicySeconds isrequired when creating a new bucket and when adding or updating the retentionperiod of a pre-existing bucket; however, it's not otherwise required onpre-existing buckets.

If you set multipleretentionPolicySeconds constraints at different resourcelevels, they areenforced hierarchically. For this reason, it's recommendedthat you set theinheritFromParent field totrue, which ensures thatpolicies at higher layers are also considered.

Require uniform bucket-level access

Constraint Name:constraints/storage.uniformBucketLevelAccessConstraint Type:boolean

When you apply theuniformBucketLevelAccess constraint,new buckets mustenable theuniform bucket-level access feature, and pre-existing buckets with thisfeature enabled cannot disable it. Pre-existing buckets withuniform bucket-level access disabled are not required to enable it.

When you apply thedetailedAuditLoggingMode constraint, Cloud Audit Logs logsassociated withCloud Storage operations contain detailed requestand response information. This constraint is recommended to be used inconjunction withBucket Lock andObject Retention Lock whenseeking various compliances such as SEC Rule 17a-4(f), CFTC Rule1.31(c)-(d), and FINRA Rule 4511(c).

Logged information includes query parameters, path parameters, and request bodyparameters. Logs exclude certain parts of requests and responsesthat are associated with sensitive information. For example, logs exclude:

• Credentials, such asAuthorization,X-Goog-Signature, orupload-id.
• Encryption key information, such asx-goog-encryption-key.
• Raw object data.

When using this constraint, note the following:

• Detailed request and response information is not guaranteed; in rare cases,empty logs might be returned.
• EnablingdetailedAuditLoggingMode increases the amount of data stored inaudit logs, which could affect yourCloud Logging charges for DataAccess logs.
• Logged requests and responses are recorded in a generic format that matchesthe field names of the JSON API.

Restrict authentication types

Constraint Name:constraints/storage.restrictAuthTypesConstraint Type:list

When you apply therestrictAuthTypes constraint, requests to accessCloud Storage resources using the restricted authentication type fail,regardless of the validity of the request. You can use therestrictAuthTypes constraintto restrictHMAC keys to meet regulatory requirements or increasethe security of your data.

Thelist constraint explicitly denies specific authentication types whilepermitting all others. To do so, you must list the restricted authenticationtypes in thedeniedValues key within therules of therestrictAuthTypesconstraint. An error occurs if you try to list the restricted authenticationtypes in theallowedValues key.

You can restrict the following authentication types:

• SERVICE_ACCOUNT_HMAC_SIGNED_REQUESTS: Restricts requests signed by serviceaccount HMAC keys.

• USER_ACCOUNT_HMAC_SIGNED_REQUESTS: Restricts requestssigned by useraccount HMAC keys.

• RSA_SIGNED_REQUESTS: Restricts requestssigned by RSA keys.

• in:ALL_HMAC_SIGNED_REQUESTS: Restrict requests signed by any HMAC key. Ifyou need to meet data sovereignty requirements, it's recommended that yourestrict all HMAC signed requests.

• in:ALL_SIGNED_REQUESTS: Restrict requests signed by any HMAC or RSA key.

When you enable this constraint, the following occurs:

• Cloud Storage restricts access for requests that are authenticatedwith the restricted authentication type. Requests fail with the error403 Forbidden.

• Entities that were previously authorized to perform the request receive anerror message explaining that the authentication type is disabled.

• If HMAC keys are restricted:

  • HMAC keys of the restricted type can no longer be created or activated inthe resource that the constraint is enforced upon. Requests to create oractivate HMAC keys fail with the error403 Forbidden.

  • Existing HMAC keys remain but are no longer usable. They can bedeactivated or deleted, but cannot be reactivated.

When using therestrictAuthTypes constraint, be aware of existing resourcesthat depend on HMAC authentication. For example, if you migrated from Amazon Simple Storage Service (Amazon S3),your application likely uses HMAC keys to authenticate requests toCloud Storage. You can use the Cloud Monitoring metricstorage.googleapis.com/authn/authentication_count to track the number of timesHMAC keys have been used to authenticate requests.

Restrict unencrypted HTTP requests

Constraint Name:constraints/storage.secureHttpTransportConstraint Type:boolean

When you apply thesecureHttpTransport constraint, all unencrypted HTTP accessto Cloud Storage resources is denied.

• By default, theCloud Storage XML API allows unencrypted HTTPaccess.
• CNAME redirects only support unencrypted HTTP access.

Additional constraints

The following organization policy constraints apply more generally throughoutGoogle Cloud, but are often applied to the Cloud Storageservice:

• constraints/gcp.restrictNonCmekServices: Require new and rewrittenobjects to be encrypted usingcustomer-managed encryption keys, andrequire new buckets to set a Cloud KMS key as the default encryptionkey.

• constraints/gcp.restrictCmekCryptoKeyProjects: Reject requests toCloud Storage if the request includes acustomer-managed encryption key and the key does not belong to aproject specified by the constraint. Similarly, reject requests that create orrewrite an object if the object would be encrypted by the bucket's defaultencryption key and that key does not belong to a project specified by theconstraint.

• constraints/gcp.restrictTLSVersion: Prevent access toCloud Storage by requests made using Transport Layer Security(TLS) 1.0 or 1.1.

Conditionally allow or deny organization policy constraints

Tags provides a way to conditionally allow or deny organization policies basedon whether a Cloud Storage bucket has a specific tag. Seesetting an organization policy with tags for detailed instructions.

What's next

• Learn about theresource hierarchy that applies to organization policies.
• SeeCreating and managing organization policies for instructions onworking with constraints and organization policies in the Google Cloud console.
• SeeUsing constraints for instructions on working with constraints andorganization policies in the gcloud CLI.
• Learn aboutcustom constraints for Cloud Storage.
• See the Resource Manager APIreference documentation for relevant APImethods, such asprojects.setOrgPolicy.