---
title: Cloud storage bucket logging not enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Cloud storage bucket logging not enabled
---

# Cloud storage bucket logging not enabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-cloud-storage-bucket-logging-not-enabled` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging)

### Description{% #description %}

Cloud Storage buckets must have access logging enabled to provide audit trails for object access and modifications. This is critical for detecting and investigating unauthorized access, data exfiltration, and operational incidents.

For Ansible tasks using the `google.cloud.gcp_storage_bucket` or `gcp_storage_bucket` modules, the `logging` property must be defined. It should specify a `logBucket` (the destination bucket for logs) and may include `logObjectPrefix` to organize log objects.

Resources missing the `logging` property are flagged. Ensure the designated log bucket exists and has the necessary IAM permissions so logs can be written and retained according to your retention and compliance requirements.

Secure example (Ansible task):

```yaml
- name: Create GCS bucket with access logging enabled
  google.cloud.gcp_storage_bucket:
    name: my-data-bucket
    logging:
      logBucket: my-logs-bucket
      logObjectPrefix: access-logs/
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    logging:
      log_bucket: a_bucket_for_logs
      log_object_prefix: log
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: create a bucket
  google.cloud.gcp_storage_bucket:
    name: ansible-storage-module
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
```