Cloud Storage Best Practices

This lesson brings together the key best practices for using Cloud Storage in production. Following these guidelines will help you build secure, cost-efficient, reliable, and well-managed object storage architectures on Google Cloud.

---

Security Best Practices

Enable Uniform Bucket-Level Access

Disable ACLs and use IAM only for all new buckets. This simplifies access management and makes it easier to audit:

gcloud storage buckets update gs://my-bucket --uniform-bucket-level-access

Enforce Public Access Prevention

Unless your bucket specifically needs to serve public content, enforce public access prevention:

gcloud storage buckets update gs://my-bucket --public-access-prevention

Use Least-Privilege IAM Roles

Grant the most restrictive role that meets the need:

Need	Role
Read objects	roles/storage.objectViewer
Upload objects	roles/storage.objectCreator
Read + write + delete objects	roles/storage.objectAdmin
Full bucket management	roles/storage.admin

Use Service Accounts for Applications

Never embed user credentials in application code. Use attached service accounts on GCP resources (VMs, Cloud Functions, Cloud Run) and Workload Identity Federation for external systems.

Encrypt with Customer-Managed Keys (CMEK) for Sensitive Data

gcloud storage buckets update gs://sensitive-bucket \
  --default-encryption-key=projects/my-project/locations/europe-west2/keyRings/my-ring/cryptoKeys/my-key

Enable Data Access Audit Logs

For sensitive buckets, enable Data Access logs to track who accessed which objects:

# Configure in IAM policy audit config
# resource: storage.googleapis.com
# logTypes: DATA_READ, DATA_WRITE

---

Cost Optimisation Best Practices

Choose the Right Storage Class

Data Type	Recommended Class
Frequently accessed	Standard
Monthly access	Nearline
Quarterly access	Coldline
Annual or less	Archive
Unpredictable	Autoclass

Use Lifecycle Rules

Automate transitions to cheaper classes and delete expired data:

{
  "lifecycle": {
    "rule": [
      { "action": { "type": "SetStorageClass", "storageClass": "NEARLINE" }, "condition": { "age": 30 } },
      { "action": { "type": "SetStorageClass", "storageClass": "COLDLINE" }, "condition": { "age": 90 } },
      { "action": { "type": "SetStorageClass", "storageClass": "ARCHIVE" }, "condition": { "age": 365 } },
      { "action": { "type": "Delete" }, "condition": { "age": 2555 } }
    ]
  }
}

Colocate Storage and Compute

Place buckets in the same region as the VMs, Cloud Functions, or GKE clusters that access them. This eliminates cross-region egress charges and reduces latency.

Clean Up Non-Current Versions

If versioning is enabled, add lifecycle rules to limit the number and age of non-current versions:

{
  "action": { "type": "Delete" },
  "condition": { "numNewerVersions": 3, "isLive": false }
}

Monitor Costs with Labels

Apply labels to buckets for cost attribution:

gcloud storage buckets update gs://my-bucket \
  --update-labels=team=data-eng,env=production,project=analytics

Export billing data to BigQuery for detailed analysis.

Use Cloud CDN for Public Content

If you serve static assets to a global audience, place Cloud CDN in front of your Cloud Storage bucket to cache content at edge locations and reduce egress costs:

# Set up Cloud CDN with a backend bucket
gcloud compute backend-buckets create static-assets \
  --gcs-bucket-name=my-public-bucket \
  --enable-cdn

---

Reliability Best Practices

Choose the Right Location

Requirement	Location Type
Lowest latency, lowest cost	Region
High availability with geo-redundancy	Multi-region
Compliance (data must stay in specific countries)	Dual-region (e.g., eur4)

Enable Versioning for Critical Data

Protect against accidental deletion and overwrites:

gsutil versioning set on gs://critical-data-bucket

Use Retention Policies for Compliance Data