ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(gcp): enhance metadata for cloudstorage service (#9640)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2026-02-13 13:17:58 +01:00
committed by GitHub
parent ceb4691c36
commit 3defbcd386
11 changed files with 88 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -24,6 +24,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Parallelize Cloudflare zone API calls with threading to improve scan performance [(#9982)](https://github.com/prowler-cloud/prowler/pull/9982)
- Update GCP API Keys service metadata to new format [(#9637)](https://github.com/prowler-cloud/prowler/pull/9637)
- Update GCP BigQuery service metadata to new format [(#9638)](https://github.com/prowler-cloud/prowler/pull/9638)
- Update GCP Cloud Storage service metadata to new format [(#9640)](https://github.com/prowler-cloud/prowler/pull/9640)
### 🔐 Security

2
prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json
View File

@@ -13,7 +13,7 @@
"Risk": "Without Data Access audit logs, you cannot track who accessed or modified objects in your Cloud Storage buckets, making it difficult to detect unauthorized access, data exfiltration, or compliance violations.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-data-access-audit-logs.html",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-data-access-audit-logs.html",
"https://cloud.google.com/storage/docs/audit-logging"
],
"Remediation": {

20
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/cloudstorage_bucket_lifecycle_management_enabled.metadata.json
View File

@@ -1,30 +1,32 @@
{
"Provider": "gcp",
"CheckID": "cloudstorage_bucket_lifecycle_management_enabled",
"CheckTitle": "Cloud Storage buckets have lifecycle management enabled",
"CheckTitle": "Cloud Storage bucket has lifecycle management enabled with at least one valid rule",
"CheckType": [],
"ServiceName": "cloudstorage",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"Severity": "low",
"ResourceType": "storage.googleapis.com/Bucket",
"ResourceGroup": "storage",
"Description": "**Google Cloud Storage buckets** are evaluated for the presence of **lifecycle management** with at least one valid rule (supported action and non-empty condition) to automatically transition or delete objects and optimize storage costs.",
"Risk": "Buckets without lifecycle rules can accumulate stale data, increase storage costs, and fail to meet data retention and internal compliance requirements.",
"Description": "**Cloud Storage buckets** use **Object Lifecycle Management** with at least one valid rule (supported `action` and non-empty `condition`) to automatically transition storage class or delete objects.",
"Risk": "Without lifecycle rules, data and object versions persist indefinitely, expanding the attack surface and hindering mandated erasure. Stale data amplifies exfiltration impact (**confidentiality**) and complicates **integrity** controls, while also driving avoidable cost and retention noncompliance.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-lifecycle-management.html",
"https://cloud.google.com/storage/docs/lifecycle"
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-lifecycle-management.html",
"https://docs.cloud.google.com/storage/docs/managing-lifecycles",
"https://docs.cloud.google.com/storage/docs/lifecycle",
"https://docs.cloud.google.com/storage/docs/samples/storage-enable-bucket-lifecycle-management"
],
"Remediation": {
"Code": {
"CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --lifecycle-file=<PATH_TO_JSON>",
"NativeIaC": "",
"Other": "1) Open Google Cloud Console Storage Buckets <BUCKET_NAME>\n2) Tab 'Lifecycle'\n3) Add rule(s) to delete or transition objects (e.g., delete after 365 days; transition STANDARD→NEARLINE after 90 days)\n4) Save",
"Terraform": "```hcl\n# Example: enable lifecycle to transition and delete objects\nresource \"google_storage_bucket\" \"example\" {\n name = var.bucket_name\n location = var.location\n\n # Transition STANDARD → NEARLINE after 90 days\n lifecycle_rule {\n action {\n type = \"SetStorageClass\"\n storage_class = \"NEARLINE\"\n }\n condition {\n age = 90\n matches_storage_class = [\"STANDARD\"]\n }\n }\n\n # Delete objects after 365 days\n lifecycle_rule {\n action {\n type = \"Delete\"\n }\n condition {\n age = 365\n }\n }\n}\n```"
"Other": "1. In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>\n2. Click the Lifecycle tab\n3. Click Add a rule\n4. Action: Delete\n5. Condition: Age = 1 day\n6. Click Create/Save",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"US\"\n\n # Critical: add at least one lifecycle rule with a condition to pass the check\n lifecycle_rule {\n action { type = \"Delete\" } # Critical: defines a supported action\n condition { age = 1 } # Critical: ensures the rule has a valid condition\n }\n}\n```"
},
"Recommendation": {
"Text": "Configure lifecycle rules to automatically delete stale objects or transition them to colder storage classes according to your organization's retention and cost-optimization policy.",
"Text": "Define lifecycle policies by data classification to enforce **least data retention**. Use `Delete` for TTL/age and `SetStorageClass` for archival, with version-aware conditions like `isLive=false` or `numNewerVersions`. Test on a limited dataset, review regularly, and align with **defense in depth**.",
"Url": "https://hub.prowler.com/check/cloudstorage_bucket_lifecycle_management_enabled"
}
},

25
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json
View File

@@ -1,33 +1,40 @@
{
"Provider": "gcp",
"CheckID": "cloudstorage_bucket_log_retention_policy_lock",
"CheckTitle": "Cloud Storage log bucket has a Retention Policy with Bucket Lock enabled",
"CheckTitle": "Cloud Storage log sink bucket has a retention policy with Bucket Lock enabled",
"CheckType": [],
"ServiceName": "cloudstorage",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"Severity": "high",
"ResourceType": "storage.googleapis.com/Bucket",
"ResourceGroup": "storage",
"Description": "**Google Cloud Storage buckets** used as **log sinks** are evaluated to ensure that a **Retention Policy** is configured and **Bucket Lock** is enabled. Enabling Bucket Lock permanently prevents the retention policy from being reduced or removed, protecting logs from modification or deletion.",
"Risk": "Log sink buckets without a locked retention policy are at risk of log tampering or accidental deletion. Without Bucket Lock, an attacker or user could remove or shorten the retention policy, compromising the integrity of audit logs required for forensics and compliance investigations.",
"Description": "**Cloud Storage log sink buckets** have a configured **retention period** with **Bucket Lock** applied, ensuring the retention policy cannot be shortened or removed.",
"Risk": "Without a locked retention policy, exported logs can be deleted early or retention reduced, undermining log **integrity** and **availability**. An attacker or malicious insider could purge evidence to evade detection, hindering **forensics** and weakening **non-repudiation** across the environment.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/retention-policies-with-bucket-lock.html"
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/retention-policies-with-bucket-lock.html",
"https://docs.cloud.google.com/storage/docs/bucket-lock",
"https://docs.cloud.google.com/storage/docs/using-bucket-lock",
"https://docs.cloud.google.com/storage/docs/samples/storage-lock-retention-policy",
"https://docs.cloud.google.com/logging/docs/export/configure_export_v2"
],
"Remediation": {
"Code": {
"CLI": "gcloud storage buckets lock-retention-policy gs://<LOG_BUCKET_NAME>",
"NativeIaC": "",
"Other": "1) Open Google Cloud Console Storage Buckets → <LOG_BUCKET_NAME>\n2) Go to the **Configuration** tab\n3) Under **Retention policy**, ensure a retention duration is set\n4) Click **Lock** to enable Bucket Lock and confirm the operation",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"log_bucket\" {\n name = var.log_bucket_name\n location = var.location\n\n retention_policy {\n retention_period = 31536000 # 365 days in seconds\n is_locked = true\n }\n}\n```"
"Other": "1. In Google Cloud Console, go to Storage > Buckets and open the bucket used by your Logs Router sink\n2. Click the Configuration tab\n3. Under Retention policy, click Edit, set any required retention duration, and click Save\n4. Click Lock retention policy, type LOCK to confirm, and confirm to permanently lock it",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<LOCATION>\"\n\n retention_policy {\n retention_period = 86400 # Required: enable a retention policy (1 day)\n is_locked = true # CRITICAL: locks the retention policy (Bucket Lock) to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Configure a retention policy and enable Bucket Lock on all Cloud Storage buckets used as log sinks to ensure log integrity and immutability.",
"Text": "Set a **retention policy** on every log sink bucket and enable **Bucket Lock**. Choose durations that meet investigative and regulatory needs. Enforce **least privilege** and **separation of duties** for bucket and logging administration, and apply **defense in depth** so no single actor can weaken log retention.",
"Url": "https://hub.prowler.com/check/cloudstorage_bucket_log_retention_policy_lock"
}
},
"Categories": [],
"Categories": [
"logging",
"forensics-ready"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

2
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json
View File

@@ -13,7 +13,7 @@
"Risk": "Buckets without Usage and Storage Logs enabled lack visibility into access and storage activity, which increases the risk of undetected data exfiltration, misuse, or configuration errors.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-usage-and-storage-logs.html",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-usage-and-storage-logs.html",
"https://cloud.google.com/storage/docs/access-logs"
],
"Remediation": {

29
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_public_access/cloudstorage_bucket_public_access.metadata.json
View File

@@ -1,27 +1,34 @@
{
"Provider": "gcp",
"CheckID": "cloudstorage_bucket_public_access",
"CheckTitle": "Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible",
"CheckTitle": "Cloud Storage bucket is not publicly accessible",
"CheckType": [],
"ServiceName": "cloudstorage",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Bucket",
"Severity": "critical",
"ResourceType": "storage.googleapis.com/Bucket",
"ResourceGroup": "storage",
"Description": "Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible",
"Risk": "Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.",
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/publicly-accessible-storage-buckets.html",
"Description": "**Cloud Storage buckets** are assessed for **anonymous or public access** by detecting permissions granted to broad principals like `allUsers` or `allAuthenticatedUsers` that make bucket data reachable without authentication.",
"Risk": "**Public buckets** undermine **confidentiality** and **integrity**. Anyone can list or download objects; if write access exists, content can be overwritten or deleted. Abuse enables hotlinking and malware hosting, impacting **availability** and driving unexpected egress costs.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/publicly-accessible-storage-buckets.html",
"https://docs.cloud.google.com/storage/docs/public-access-prevention",
"https://docs.cloud.google.com/storage/docs/access-control/iam",
"https://docs.cloud.google.com/storage/docs/access-control/iam-reference",
"https://docs.cloud.google.com/storage/docs/using-uniform-bucket-level-access"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "gcloud storage buckets update gs://<example_resource_name> --public-access-prevention enforced",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-public-policies/bc_gcp_public_1",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-public-policies/bc_gcp_public_1#terraform"
"Other": "1. In Google Cloud Console, go to Storage > Buckets and open <example_resource_name>\n2. Click the Permissions tab\n3. Set Public access prevention to Enforced\n4. Click Save",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<LOCATION>\"\n\n public_access_prevention = \"enforced\" # Critical: blocks allUsers/allAuthenticatedUsers, making the bucket not publicly accessible\n}\n```"
},
"Recommendation": {
"Text": "It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.",
"Url": "https://cloud.google.com/storage/docs/access-control/iam-reference"
"Text": "Adopt **least privilege**: remove `allUsers`/`allAuthenticatedUsers` and grant only required identities. Enforce **Public Access Prevention** and use uniform bucket-level access. *If external sharing is needed*, issue **signed URLs** or use an authenticated proxy/CDN, and review permissions regularly.",
"Url": "https://hub.prowler.com/check/cloudstorage_bucket_public_access"
}
},
"Categories": [

18
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json
View File

@@ -1,7 +1,7 @@
{
"Provider": "gcp",
"CheckID": "cloudstorage_bucket_soft_delete_enabled",
"CheckTitle": "Cloud Storage buckets have Soft Delete enabled",
"CheckTitle": "Cloud Storage bucket has Soft Delete enabled",
"CheckType": [],
"ServiceName": "cloudstorage",
"SubServiceName": "",
@@ -9,22 +9,22 @@
"Severity": "medium",
"ResourceType": "storage.googleapis.com/Bucket",
"ResourceGroup": "storage",
"Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Soft Delete** is enabled. Soft Delete helps protect data from accidental or malicious deletion by retaining deleted objects for a specified duration, allowing recovery within that retention window.",
"Risk": "Buckets without Soft Delete enabled are at higher risk of irreversible data loss caused by accidental or unauthorized deletions, since deleted objects cannot be recovered once removed.",
"Description": "**Google Cloud Storage buckets** are assessed for **Soft Delete** being enabled with a non-zero retention window, meaning deleted objects are temporarily preserved and can be restored until the window expires.",
"Risk": "**No Soft Delete** makes object deletions **immediate and irreversible**, undermining data **availability** and **integrity**. Accidental removal, compromised credentials, wiper malware, or misconfigured lifecycle rules can erase datasets with no recovery path, breaking RPO/RTO and legal retention expectations.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/storage/docs/soft-delete",
"https://cloud.google.com/blog/products/storage-data-transfer/understanding-cloud-storages-new-soft-delete-feature"
"https://docs.cloud.google.com/storage/docs/soft-delete",
"https://docs.cloud.google.com/storage/docs/use-soft-delete"
],
"Remediation": {
"Code": {
"CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --soft-delete-retention-duration=<SECONDS>",
"CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --soft-delete-duration=<SECONDS>",
"NativeIaC": "",
"Other": "1) Open Google Cloud Console Storage Buckets <BUCKET_NAME>\n2) Tab 'Configuration'\n3) Under 'Soft Delete', click 'Enable Soft Delete'\n4) Set the desired retention duration and save changes",
"Terraform": "```hcl\n# Example: enable Soft Delete on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n name = var.bucket_name\n location = var.location\n\n soft_delete_policy {\n retention_duration_seconds = 604800 # 7 days\n }\n}\n```"
"Other": "1. In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>\n2. Click the Configuration tab\n3. In the Soft Delete section, click Enable Soft Delete\n4. Set a retention duration > 0 and click Save",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n name = \"<example_resource_id>\"\n location = \"<LOCATION>\"\n\n soft_delete_policy {\n retention_duration_seconds = 604800 # Critical: >0 enables Soft Delete (7 days)\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Soft Delete on Cloud Storage buckets to retain deleted objects for a defined period, improving data recoverability and resilience against accidental or malicious deletions.",
"Text": "Enable **Soft Delete** with a retention window aligned to your RPO/RTO. Apply **least privilege** for delete/undelete actions and use **defense in depth** with object versioning and retention policies. Monitor deletion events and regularly test restore procedures to ensure recoverability.",
"Url": "https://hub.prowler.com/check/cloudstorage_bucket_soft_delete_enabled"
}
},

2
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json
View File

@@ -13,7 +13,7 @@
"Risk": "Insufficient or missing retention allows premature deletion or modification of objects, weakening data recovery and compliance with retention requirements.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/sufficient-retention-period.html"
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/sufficient-retention-period.html"
],
"Remediation": {
"Code": {

28
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_uniform_bucket_level_access/cloudstorage_bucket_uniform_bucket_level_access.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "gcp",
"CheckID": "cloudstorage_bucket_uniform_bucket_level_access",
"CheckTitle": "Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled",
"CheckTitle": "Cloud Storage bucket has uniform bucket-level access enabled",
"CheckType": [],
"ServiceName": "cloudstorage",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Bucket",
"ResourceType": "storage.googleapis.com/Bucket",
"ResourceGroup": "storage",
"Description": "Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled",
"Risk": "Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.",
"Description": "Cloud Storage buckets have **uniform bucket-level access (UBLA)** enabled so object permissions are controlled solely by **bucket-level IAM**, with object ACLs disabled.",
"Risk": "Without **UBLA**, object ACLs can bypass bucket IAM, enabling unintended public reads or unauthorized writes. This threatens **confidentiality** through data exposure, undermines **integrity** via object tampering, and reduces **auditability** with fragmented, hard-to-review permissions.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-uniform-bucket-level-access.html",
"https://docs.cloud.google.com/storage/docs/using-uniform-bucket-level-access",
"https://docs.cloud.google.com/storage/docs/public-access-prevention",
"https://docs.cloud.google.com/storage/docs/access-control/iam"
],
"Remediation": {
"Code": {
"CLI": "gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/",
"CLI": "gcloud storage buckets update gs://<example_resource_name> --uniform-bucket-level-access",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-uniform-bucket-level-access.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-storage-gcs-policies/bc_gcp_gcs_2#terraform"
"Other": "1. In Google Cloud Console, go to Storage > Buckets\n2. Click the bucket name (<example_resource_name>)\n3. Open the Permissions tab (or Configuration if shown)\n4. In Access control, select Uniform and click Save",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<LOCATION>\"\n\n uniform_bucket_level_access = true # Critical: enables UBLA so the bucket passes the check\n}\n```"
},
"Recommendation": {
"Text": "It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.",
"Url": "https://cloud.google.com/storage/docs/using-uniform-bucket-level-access"
"Text": "Enable **UBLA** on all buckets to centralize authorization and apply **least privilege** with IAM. Eliminate reliance on object ACLs; use **Public Access Prevention** and **organization policies** to enforce non-public defaults. Monitor access with logs and periodic reviews as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/cloudstorage_bucket_uniform_bucket_level_access"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

19
prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json
View File

@@ -1,7 +1,7 @@
{
"Provider": "gcp",
"CheckID": "cloudstorage_bucket_versioning_enabled",
"CheckTitle": "Cloud Storage buckets have Object Versioning enabled",
"CheckTitle": "Cloud Storage bucket has Object Versioning enabled",
"CheckType": [],
"ServiceName": "cloudstorage",
"SubServiceName": "",
@@ -9,22 +9,25 @@
"Severity": "medium",
"ResourceType": "storage.googleapis.com/Bucket",
"ResourceGroup": "storage",
"Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Object Versioning** is enabled. Object Versioning preserves older versions of objects, allowing data recovery, maintaining audit trails, and protecting against accidental deletions or overwrites.",
"Risk": "Buckets without Object Versioning enabled cannot recover previous object versions, which increases the risk of permanent data loss from accidental deletion or modification.",
"Description": "**Cloud Storage buckets** with **Object Versioning** keep prior object generations. The finding indicates whether the bucket's `versioning` setting is enabled.",
"Risk": "Without **Object Versioning**, deleted or overwritten objects can't be restored, reducing **availability** and **integrity**. Compromised credentials or faulty processes can irreversibly delete or corrupt data, enabling ransomware-style destruction, accidental loss, and weakening forensic reconstruction.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-versioning.html",
"https://cloud.google.com/storage/docs/object-versioning"
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-versioning.html",
"https://docs.cloud.google.com/storage/docs/object-versioning",
"https://docs.cloud.google.com/storage/docs/using-object-versioning",
"https://docs.cloud.google.com/storage/docs/deleting-objects#restoring_noncurrent_versions",
"https://docs.cloud.google.com/storage/docs/lifecycle#delete"
],
"Remediation": {
"Code": {
"CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --versioning",
"NativeIaC": "",
"Other": "1) Open Google Cloud Console Storage Buckets <BUCKET_NAME>\n2) Tab 'Configuration'\n3) Under 'Object versioning', click 'Enable Object Versioning'\n4) Save changes",
"Terraform": "```hcl\n# Example: enable Object Versioning on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n name = var.bucket_name\n location = var.location\n\n versioning {\n enabled = true\n }\n}\n```"
"Other": "1. In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>\n2. Click the Configuration tab, then click Edit\n3. Set Object versioning to Enabled\n4. Click Save",
"Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<LOCATION>\"\n\n versioning { # Critical: enables Object Versioning\n enabled = true # This makes the check pass\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Object Versioning on Cloud Storage buckets to preserve previous object versions and improve data recoverability and auditability.",
"Text": "Enable **Object Versioning** on buckets holding important data. Pair with `lifecycle` rules to expire noncurrent versions and control cost. Enforce **least privilege** for delete/overwrite actions, and add bucket `retention` policies or object holds for defense-in-depth and auditability.",
"Url": "https://hub.prowler.com/check/cloudstorage_bucket_versioning_enabled"
}
},

2
prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.metadata.json
View File

@@ -13,7 +13,7 @@
"Risk": "Projects without VPC Service Controls protection for Cloud Storage may be vulnerable to unauthorized data access and exfiltration, even with proper IAM policies in place. VPC Service Controls provide an additional layer of network-level security that restricts API access based on the context of the request.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/use-vpc-service-controls.html",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/use-vpc-service-controls.html",
"https://cloud.google.com/vpc-service-controls/docs/create-service-perimeters"
],
"Remediation": {