Preventing accidental deletion of storage bucket

Question

how can I prevent the accidental deletion of a bucket? I've enabled versioning to prevent the accidental deletion of objects, but if someone just deletes the whole bucket, my data is down the drain, right? I've read upon the retention policy and locking it, but then I would need to disable object versioning. I could implement the following:

• create a different project where the bucket will live and have no storage admin there (just the owner of the project)
• mirror the bucket to another bucket with retention policy set

Any other options that I could implement?

Thanks

Christian

Answer 1

The solution to my problem was to implement a deny policy and deny the storage.buckets.delete permission for the whole project. See also https://cloud.google.com/iam/docs/deny-overview.

Answer 2

Add a Retention Policy to the bucket and then lock the retention policy. This prevents a bucket from being deleted until all objects have exceeded the retention period.

Retention policies and retention policy locks

You can add a retention policy to a bucket to specify a retention period.

• If a bucket does not have a retention policy, you can delete or replace objects in the bucket at any time.

• If a bucket has a retention policy, objects in the bucket can only be deleted or replaced once their age is greater than the retention period.

• A retention policy retroactively applies to existing objects in the bucket as well as new objects added to the bucket.

• You can lock a retention policy to permanently set it on the bucket.

Once you lock a retention policy, you cannot remove it or reduce the retention period it has.

• You cannot delete a bucket with a locked retention policy unless every object in the bucket has met the retention period.

• You can increase the retention period of a locked retention policy.

• Locking a retention policy can help your data comply with record retention regulations.