mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
feat(compliance): add DORA compliance framework for GCP (#11642)
This commit is contained in:
@@ -31,6 +31,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- `entra_directory_sync_object_takeover_blocked` check for the M365 provider, verifying that hybrid Entra tenants block cloud object takeover through both soft-match and hard-match directory synchronization [(#11098)](https://github.com/prowler-cloud/prowler/pull/11098)
|
||||
- `entra_conditional_access_policy_no_deleted_object_references` check for M365 provider [(#11236)](https://github.com/prowler-cloud/prowler/pull/11236)
|
||||
- `aks_cluster_defender_enabled` check for Azure provider, verifying that AKS clusters have Microsoft Defender security monitoring enabled [(#11028)](https://github.com/prowler-cloud/prowler/pull/11028)
|
||||
- DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) compliance coverage for the GCP provider, mapping existing GCP checks across the five DORA pillars [(#11642)](https://github.com/prowler-cloud/prowler/pull/11642)
|
||||
|
||||
|
||||
### 🔄 Changed
|
||||
|
||||
|
||||
@@ -130,6 +130,20 @@
|
||||
"iam_subscription_roles_owner_custom_not_created",
|
||||
"iam_role_user_access_admin_restricted",
|
||||
"iam_custom_role_has_permissions_to_administer_resource_locks"
|
||||
],
|
||||
"gcp": [
|
||||
"compute_project_os_login_enabled",
|
||||
"compute_project_os_login_2fa_enabled",
|
||||
"iam_no_service_roles_at_project_level",
|
||||
"iam_sa_no_administrative_privileges",
|
||||
"iam_role_kms_enforce_separation_of_duties",
|
||||
"iam_role_sa_enforce_separation_of_duties",
|
||||
"iam_organization_essential_contacts_configured",
|
||||
"iam_account_access_approval_enabled",
|
||||
"iam_service_account_unused",
|
||||
"compute_instance_default_service_account_in_use",
|
||||
"compute_instance_default_service_account_in_use_with_full_api_access",
|
||||
"gke_cluster_no_default_service_account"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -170,6 +184,14 @@
|
||||
"defender_ensure_wdatp_is_enabled",
|
||||
"defender_auto_provisioning_log_analytics_agent_vms_on",
|
||||
"policy_ensure_asc_enforcement_enabled"
|
||||
],
|
||||
"gcp": [
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"iam_audit_logs_enabled",
|
||||
"logging_sink_created",
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"iam_organization_essential_contacts_configured"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -217,6 +239,22 @@
|
||||
"keyvault_key_rotation_enabled",
|
||||
"storage_key_rotation_90_days",
|
||||
"aks_network_policy_enabled"
|
||||
],
|
||||
"gcp": [
|
||||
"cloudsql_instance_ssl_connections",
|
||||
"compute_instance_encryption_with_csek_enabled",
|
||||
"compute_instance_confidential_computing_enabled",
|
||||
"bigquery_dataset_cmk_encryption",
|
||||
"bigquery_table_cmk_encryption",
|
||||
"dataproc_encrypted_with_cmks_disabled",
|
||||
"kms_key_rotation_enabled",
|
||||
"kms_key_rotation_max_90_days",
|
||||
"dns_dnssec_disabled",
|
||||
"dns_rsasha1_in_use_to_key_sign_in_dnssec",
|
||||
"dns_rsasha1_in_use_to_zone_sign_in_dnssec",
|
||||
"compute_network_not_legacy",
|
||||
"compute_network_default_in_use",
|
||||
"compute_instance_single_network_interface"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -245,6 +283,14 @@
|
||||
"network_watcher_enabled",
|
||||
"network_public_ip_shodan",
|
||||
"vm_scaleset_not_empty"
|
||||
],
|
||||
"gcp": [
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"iam_service_account_unused",
|
||||
"iam_sa_user_managed_key_unused",
|
||||
"apikeys_key_exists",
|
||||
"compute_instance_suspended_without_persistent_disks",
|
||||
"compute_public_address_shodan"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -329,6 +375,45 @@
|
||||
"network_http_internet_access_restricted",
|
||||
"network_udp_internet_access_restricted",
|
||||
"network_bastion_host_exists"
|
||||
],
|
||||
"gcp": [
|
||||
"kms_key_not_publicly_accessible",
|
||||
"bigquery_dataset_public_access",
|
||||
"bigquery_dataset_cmk_encryption",
|
||||
"bigquery_table_cmk_encryption",
|
||||
"cloudstorage_bucket_public_access",
|
||||
"cloudstorage_bucket_uniform_bucket_level_access",
|
||||
"cloudstorage_uses_vpc_service_controls",
|
||||
"cloudsql_instance_public_access",
|
||||
"cloudsql_instance_public_ip",
|
||||
"cloudsql_instance_private_ip_assignment",
|
||||
"cloudsql_instance_ssl_connections",
|
||||
"cloudsql_instance_cmek_encryption_enabled",
|
||||
"compute_firewall_ssh_access_from_the_internet_allowed",
|
||||
"compute_firewall_rdp_access_from_the_internet_allowed",
|
||||
"compute_instance_public_ip",
|
||||
"compute_instance_shielded_vm_enabled",
|
||||
"compute_instance_confidential_computing_enabled",
|
||||
"compute_instance_serial_ports_in_use",
|
||||
"compute_instance_block_project_wide_ssh_keys_disabled",
|
||||
"compute_instance_ip_forwarding_is_enabled",
|
||||
"compute_instance_encryption_with_csek_enabled",
|
||||
"compute_image_not_publicly_shared",
|
||||
"dataproc_encrypted_with_cmks_disabled",
|
||||
"kms_key_rotation_enabled",
|
||||
"gke_cluster_no_default_service_account",
|
||||
"cloudfunction_function_inside_vpc",
|
||||
"apikeys_api_restrictions_configured",
|
||||
"apikeys_api_restricted_with_gemini_api",
|
||||
"cloudsql_instance_mysql_local_infile_flag",
|
||||
"cloudsql_instance_mysql_skip_show_database_flag",
|
||||
"cloudsql_instance_sqlserver_contained_database_authentication_flag",
|
||||
"cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag",
|
||||
"cloudsql_instance_sqlserver_external_scripts_enabled_flag",
|
||||
"cloudsql_instance_sqlserver_remote_access_flag",
|
||||
"cloudsql_instance_sqlserver_trace_flag",
|
||||
"cloudsql_instance_sqlserver_user_connections_flag",
|
||||
"cloudsql_instance_sqlserver_user_options_flag"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -375,6 +460,16 @@
|
||||
"defender_container_images_resolved_vulnerabilities",
|
||||
"sqlserver_microsoft_defender_enabled",
|
||||
"apim_threat_detection_llm_jacking"
|
||||
],
|
||||
"gcp": [
|
||||
"compute_public_address_shodan",
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"compute_subnet_flow_logs_enabled",
|
||||
"compute_network_dns_logging_enabled",
|
||||
"cloudstorage_bucket_logging_enabled",
|
||||
"compute_loadbalancer_logging_enabled",
|
||||
"logging_sink_created"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -408,6 +503,16 @@
|
||||
"defender_attack_path_notifications_properly_configured",
|
||||
"vm_backup_enabled",
|
||||
"vm_sufficient_daily_backup_retention_period"
|
||||
],
|
||||
"gcp": [
|
||||
"compute_instance_automatic_restart_enabled",
|
||||
"compute_instance_group_autohealing_enabled",
|
||||
"compute_instance_on_host_maintenance_migrate",
|
||||
"cloudsql_instance_high_availability_enabled",
|
||||
"cloudsql_instance_automated_backups",
|
||||
"compute_instance_deletion_protection_enabled",
|
||||
"compute_instance_group_load_balancer_attached",
|
||||
"compute_instance_preemptible_vm_disabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -459,6 +564,19 @@
|
||||
"storage_blob_versioning_is_enabled",
|
||||
"storage_geo_redundant_enabled",
|
||||
"keyvault_recoverable"
|
||||
],
|
||||
"gcp": [
|
||||
"cloudsql_instance_automated_backups",
|
||||
"cloudsql_instance_high_availability_enabled",
|
||||
"cloudstorage_bucket_versioning_enabled",
|
||||
"cloudstorage_bucket_soft_delete_enabled",
|
||||
"cloudstorage_bucket_lifecycle_management_enabled",
|
||||
"cloudstorage_bucket_sufficient_retention_period",
|
||||
"compute_instance_group_multiple_zones",
|
||||
"compute_instance_disk_auto_delete_disabled",
|
||||
"compute_instance_deletion_protection_enabled",
|
||||
"compute_snapshot_not_outdated",
|
||||
"compute_instance_suspended_without_persistent_disks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -488,6 +606,12 @@
|
||||
"sqlserver_vulnerability_assessment_enabled",
|
||||
"sqlserver_va_periodic_recurring_scans_enabled",
|
||||
"sqlserver_va_scan_reports_configured"
|
||||
],
|
||||
"gcp": [
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"logging_sink_created"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -517,6 +641,12 @@
|
||||
"defender_ensure_notify_alerts_severity_is_high",
|
||||
"defender_attack_path_notifications_properly_configured",
|
||||
"monitor_alert_service_health_exists"
|
||||
],
|
||||
"gcp": [
|
||||
"iam_organization_essential_contacts_configured",
|
||||
"logging_sink_created",
|
||||
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -573,6 +703,25 @@
|
||||
"app_http_logs_enabled",
|
||||
"app_function_application_insights_enabled",
|
||||
"appinsights_ensure_is_configured"
|
||||
],
|
||||
"gcp": [
|
||||
"iam_audit_logs_enabled",
|
||||
"cloudstorage_audit_logs_enabled",
|
||||
"logging_sink_created",
|
||||
"cloudstorage_bucket_logging_enabled",
|
||||
"cloudstorage_bucket_log_retention_policy_lock",
|
||||
"cloudstorage_bucket_sufficient_retention_period",
|
||||
"compute_subnet_flow_logs_enabled",
|
||||
"compute_network_dns_logging_enabled",
|
||||
"compute_loadbalancer_logging_enabled",
|
||||
"cloudsql_instance_postgres_enable_pgaudit_flag",
|
||||
"cloudsql_instance_postgres_log_connections_flag",
|
||||
"cloudsql_instance_postgres_log_disconnections_flag",
|
||||
"cloudsql_instance_postgres_log_statement_flag",
|
||||
"cloudsql_instance_postgres_log_min_messages_flag",
|
||||
"cloudsql_instance_postgres_log_error_verbosity_flag",
|
||||
"cloudsql_instance_postgres_log_min_error_statement_flag",
|
||||
"cloudsql_instance_postgres_log_min_duration_statement_flag"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -605,6 +754,13 @@
|
||||
"defender_ensure_mcas_is_enabled",
|
||||
"sqlserver_microsoft_defender_enabled",
|
||||
"apim_threat_detection_llm_jacking"
|
||||
],
|
||||
"gcp": [
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"compute_public_address_shodan",
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"iam_audit_logs_enabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -649,6 +805,19 @@
|
||||
"monitor_alert_delete_public_ip_address_rule",
|
||||
"monitor_alert_service_health_exists",
|
||||
"defender_additional_email_configured_with_a_security_contact"
|
||||
],
|
||||
"gcp": [
|
||||
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
|
||||
"iam_organization_essential_contacts_configured",
|
||||
"logging_sink_created"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -679,6 +848,13 @@
|
||||
"sqlserver_va_periodic_recurring_scans_enabled",
|
||||
"vm_ensure_using_approved_images",
|
||||
"vm_desired_sku_size"
|
||||
],
|
||||
"gcp": [
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"compute_instance_shielded_vm_enabled",
|
||||
"compute_snapshot_not_outdated",
|
||||
"compute_public_address_shodan"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -723,6 +899,16 @@
|
||||
"app_ensure_python_version_is_latest",
|
||||
"app_function_latest_runtime_version",
|
||||
"storage_smb_protocol_version_is_latest"
|
||||
],
|
||||
"gcp": [
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"compute_snapshot_not_outdated",
|
||||
"compute_network_not_legacy",
|
||||
"dns_rsasha1_in_use_to_key_sign_in_dnssec",
|
||||
"dns_rsasha1_in_use_to_zone_sign_in_dnssec",
|
||||
"apikeys_key_rotated_in_90_days",
|
||||
"iam_sa_user_managed_key_rotate_90_days"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -765,6 +951,20 @@
|
||||
"cosmosdb_account_use_private_endpoints",
|
||||
"keyvault_access_only_through_private_endpoints",
|
||||
"aks_clusters_created_with_private_nodes"
|
||||
],
|
||||
"gcp": [
|
||||
"bigquery_dataset_public_access",
|
||||
"cloudstorage_bucket_public_access",
|
||||
"kms_key_not_publicly_accessible",
|
||||
"cloudstorage_uses_vpc_service_controls",
|
||||
"cloudfunction_function_inside_vpc",
|
||||
"iam_sa_no_user_managed_keys",
|
||||
"iam_sa_no_administrative_privileges",
|
||||
"iam_no_service_roles_at_project_level",
|
||||
"apikeys_api_restrictions_configured",
|
||||
"apikeys_api_restricted_with_gemini_api",
|
||||
"compute_image_not_publicly_shared",
|
||||
"iam_cloud_asset_inventory_enabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -804,6 +1004,18 @@
|
||||
"app_function_identity_without_admin_privileges",
|
||||
"entra_policy_default_users_cannot_create_security_groups",
|
||||
"entra_policy_ensure_default_user_cannot_create_apps"
|
||||
],
|
||||
"gcp": [
|
||||
"iam_sa_no_administrative_privileges",
|
||||
"iam_no_service_roles_at_project_level",
|
||||
"iam_role_kms_enforce_separation_of_duties",
|
||||
"iam_role_sa_enforce_separation_of_duties",
|
||||
"iam_sa_no_user_managed_keys",
|
||||
"compute_instance_default_service_account_in_use",
|
||||
"compute_instance_default_service_account_in_use_with_full_api_access",
|
||||
"gke_cluster_no_default_service_account",
|
||||
"iam_account_access_approval_enabled",
|
||||
"apikeys_api_restrictions_configured"
|
||||
]
|
||||
}
|
||||
},
|
||||
@@ -835,6 +1047,14 @@
|
||||
"defender_attack_path_notifications_properly_configured",
|
||||
"sqlserver_microsoft_defender_enabled",
|
||||
"apim_threat_detection_llm_jacking"
|
||||
],
|
||||
"gcp": [
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"iam_audit_logs_enabled",
|
||||
"gcr_container_scanning_enabled",
|
||||
"artifacts_container_analysis_enabled",
|
||||
"compute_public_address_shodan",
|
||||
"logging_sink_created"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user