Cloud Storage (GCS)

SmartSRE provides lifecycle management and security hardening for Google Cloud Storage.

What SmartSRE Scans

Category	Checks
Security	Public access, IAM bindings, uniform bucket access
Lifecycle	Missing policies, cold storage opportunities
Compliance	Retention policies, versioning configuration
Cost	Storage class optimization, unused buckets

Findings

Critical

Issue Type	Severity	Description
`public_bucket`	Critical	Bucket accessible to `allUsers` or `allAuthenticatedUsers`
`no_public_access_prevention`	High	Public Access Prevention not enabled

Medium-Priority

Issue Type	Severity	Description
`no_lifecycle_policy`	Medium	No automatic object cleanup configured
`cold_bucket`	Low	No access in 180+ days
`no_versioning`	Low	Object versioning not enabled

Available Fixes

Security

Operation	Description	Impact
`enable_public_access_prevention`	Enable PAP on bucket	Medium
`remove_public_binding`	Remove `allUsers` IAM binding	High
`enable_uniform_bucket_access`	Enable uniform bucket-level access	Medium

Lifecycle

Operation	Description	Impact
`set_lifecycle_rule`	Add/update lifecycle rule	Low
`set_archive_transition`	Transition to Archive class	Low
`set_coldline_transition`	Transition to Coldline class	Low

Compliance

Operation	Description	Impact
`enable_versioning`	Enable object versioning	Low
`set_retention_policy`	Configure retention period	Medium

Required Permissions

For Scanning

roles/storage.objectViewer (bucket level)

For Remediation

roles/storage.admin

Example ChangeSet

{
  "service": "gcs",
  "intent": "Enable lifecycle management for cost optimization",
  "steps": [
    {
      "op": "set_lifecycle_rule",
      "resource_ref": {
        "project_id": "my-project",
        "bucket_name": "logs-archive"
      },
      "params": {
        "action": "SetStorageClass",
        "storage_class": "COLDLINE",
        "age_days": 90
      },
      "estimated_cost_usd": -150.00,
      "impact_score": 10
    },
    {
      "op": "set_lifecycle_rule",
      "resource_ref": {
        "project_id": "my-project",
        "bucket_name": "logs-archive"
      },
      "params": {
        "action": "Delete",
        "age_days": 365
      },
      "estimated_cost_usd": -200.00,
      "impact_score": 25
    }
  ]
}

Configuration Options

Setting	Default	Description
`cold_bucket_days`	180	Days without access to flag as cold
`default_archive_age`	90	Default age for archive transition
`default_delete_age`	365	Default age for deletion rule

Rollback Capability

Operation	Rollback Support
`set_lifecycle_rule`	✅ Full (remove/restore rule)
`enable_public_access_prevention`	✅ Full
`delete_objects`	❌ None (destructive)
`remove_public_binding`	✅ Full (restore binding)

Best Practices

Enable PAP first — Prevents accidental public exposure
Use lifecycle rules — Automatic cost optimization
Scope by bucket naming — Target specific buckets (e.g., logs-*)
Test in non-production — Verify lifecycle behavior before production

What SmartSRE Scans​

Findings​

Critical​

Medium-Priority​

Available Fixes​

Security​

Lifecycle​

Compliance​

Required Permissions​

For Scanning​

For Remediation​

Example ChangeSet​

Configuration Options​

Rollback Capability​

Best Practices​

What SmartSRE Scans

Findings

Critical

Medium-Priority

Available Fixes

Security

Lifecycle

Compliance

Required Permissions

For Scanning

For Remediation

Example ChangeSet

Configuration Options

Rollback Capability

Best Practices