feat(gcp): add cloudstorage_bucket_logging_enabled check (#9091)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2025-12-19 05:17:47 +00:00 · 2025-10-31 13:01:55 +01:00
parent 4b99c7b651
commit 4a364d91be
6 changed files with 279 additions and 0 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -9,6 +9,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Add OCI mapping to scan and check classes [(#8927)](https://github.com/prowler-cloud/prowler/pull/8927)
 - `codepipeline_project_repo_private` check for AWS provider [(#5915)](https://github.com/prowler-cloud/prowler/pull/5915)
 - `cloudstorage_bucket_versioning_enabled` check for GCP provider [(#9014)](https://github.com/prowler-cloud/prowler/pull/9014)
+- `cloudstorage_bucket_soft_delete_enabled` check for GCP provider [(#9028)](https://github.com/prowler-cloud/prowler/pull/9028)
+- `cloudstorage_bucket_logging_enabled` check for GCP provider [(#9091)](https://github.com/prowler-cloud/prowler/pull/9091)
 - C5 compliance framework for Azure provider [(#9081)](https://github.com/prowler-cloud/prowler/pull/9081)
 - C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)

--- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/init.py
+++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/init.py
--- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json
+++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json
@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_bucket_logging_enabled",
+  "CheckTitle": "Cloud Storage buckets have Usage and Storage Logs enabled",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Usage and Storage Logs** are enabled. Enabling these logs provides detailed visibility into access requests, usage patterns, and storage activity within each bucket.",
+  "Risk": "Buckets without Usage and Storage Logs enabled lack visibility into access and storage activity, which increases the risk of undetected data exfiltration, misuse, or configuration errors.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-usage-and-storage-logs.html",
+    "https://cloud.google.com/storage/docs/access-logs"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gsutil logging set on -b gs://<LOGGING_BUCKET> -o <LOG_OBJECT_PREFIX> gs://<BUCKET_NAME>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "```hcl\n# Example: enable Usage and Storage Logs on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  logging {\n    log_bucket        = var.log_bucket_name\n    log_object_prefix = \"${var.bucket_name}/\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable Usage and Storage Logs for all Cloud Storage buckets to track access, detect anomalies, and maintain audit visibility of data operations.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_logging_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Buckets missing the 'logging.logBucket' configuration are treated as having Usage and Storage Logs disabled. The 'logObjectPrefix' field is optional and defaults to the bucket name."
+}
--- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py
+++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py
@@ -0,0 +1,40 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
+    cloudstorage_client,
+)
+
+
+class cloudstorage_bucket_logging_enabled(Check):
+    """
+    Ensure Cloud Storage buckets have Usage and Storage Logs enabled.
+
+    Reports PASS if a bucket has logging configured (logBucket defined),
+    otherwise FAIL.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+
+        for bucket in cloudstorage_client.buckets:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=bucket)
+            report.status = "FAIL"
+            report.status_extended = (
+                f"Bucket {bucket.name} does not have Usage and Storage Logs enabled."
+            )
+
+            if bucket.logging_bucket:
+                report.status = "PASS"
+                if bucket.logging_prefix:
+                    report.status_extended = (
+                        f"Bucket {bucket.name} has Usage and Storage Logs enabled. "
+                        f"Logs are stored in bucket '{bucket.logging_bucket}' with prefix '{bucket.logging_prefix}'."
+                    )
+                else:
+                    report.status_extended = (
+                        f"Bucket {bucket.name} has Usage and Storage Logs enabled. "
+                        f"Logs are stored in bucket '{bucket.logging_bucket}' with default prefix."
+                    )
+
+            findings.append(report)
+
+        return findings
--- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py
+++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py
@@ -52,6 +52,10 @@ class CloudStorage(GCPService):
                            if retention and int(retention) > 0:
                                soft_delete_enabled = True

+                        logging_info = bucket.get("logging", {})
+                        logging_bucket = logging_info.get("logBucket")
+                        logging_prefix = logging_info.get("logObjectPrefix")
+
                        self.buckets.append(
                            Bucket(
                                name=bucket["name"],
@@ -66,6 +70,8 @@ class CloudStorage(GCPService):
                                lifecycle_rules=lifecycle_rules,
                                versioning_enabled=versioning_enabled,
                                soft_delete_enabled=soft_delete_enabled,
+                                logging_bucket=logging_bucket,
+                                logging_prefix=logging_prefix,
                            )
                        )

@@ -89,3 +95,5 @@ class Bucket(BaseModel):
    lifecycle_rules: Optional[list[dict]] = None
    versioning_enabled: Optional[bool] = False
    soft_delete_enabled: Optional[bool] = False
+    logging_bucket: Optional[str] = None
+    logging_prefix: Optional[str] = None
--- a/tests/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled_test.py
+++ b/tests/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled_test.py
@@ -0,0 +1,193 @@
+from unittest import mock
+
+from tests.providers.gcp.gcp_fixtures import (
+    GCP_PROJECT_ID,
+    GCP_US_CENTER1_LOCATION,
+    set_mocked_gcp_provider,
+)
+
+
+class TestCloudStorageBucketLoggingEnabled:
+    def test_no_buckets(self):
+        cloudstorage_client = mock.MagicMock()
+        cloudstorage_client.buckets = []
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled import (
+                cloudstorage_bucket_logging_enabled,
+            )
+
+            check = cloudstorage_bucket_logging_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_bucket_with_logging_disabled(self):
+        cloudstorage_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled import (
+                cloudstorage_bucket_logging_enabled,
+            )
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_service import (
+                Bucket,
+            )
+
+            cloudstorage_client.project_ids = [GCP_PROJECT_ID]
+            cloudstorage_client.region = GCP_US_CENTER1_LOCATION
+
+            cloudstorage_client.buckets = [
+                Bucket(
+                    name="logging-disabled",
+                    id="logging-disabled",
+                    region=GCP_US_CENTER1_LOCATION,
+                    uniform_bucket_level_access=True,
+                    public=False,
+                    retention_policy=None,
+                    project_id=GCP_PROJECT_ID,
+                    lifecycle_rules=[],
+                    versioning_enabled=True,
+                    soft_delete_enabled=True,
+                    logging_bucket=None,
+                    logging_prefix=None,
+                )
+            ]
+
+            check = cloudstorage_bucket_logging_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Bucket {cloudstorage_client.buckets[0].name} does not have Usage and Storage Logs enabled."
+            )
+            assert result[0].resource_id == "logging-disabled"
+            assert result[0].resource_name == "logging-disabled"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID
+
+    def test_bucket_with_logging_enabled(self):
+        cloudstorage_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled import (
+                cloudstorage_bucket_logging_enabled,
+            )
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_service import (
+                Bucket,
+            )
+
+            cloudstorage_client.project_ids = [GCP_PROJECT_ID]
+            cloudstorage_client.region = GCP_US_CENTER1_LOCATION
+
+            cloudstorage_client.buckets = [
+                Bucket(
+                    name="logging-enabled",
+                    id="logging-enabled",
+                    region=GCP_US_CENTER1_LOCATION,
+                    uniform_bucket_level_access=True,
+                    public=False,
+                    retention_policy=None,
+                    project_id=GCP_PROJECT_ID,
+                    lifecycle_rules=[],
+                    versioning_enabled=True,
+                    soft_delete_enabled=True,
+                    logging_bucket="log-bucket",
+                    logging_prefix="logs/",
+                )
+            ]
+
+            check = cloudstorage_bucket_logging_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Bucket {cloudstorage_client.buckets[0].name} has Usage and Storage Logs enabled. Logs are stored in bucket 'log-bucket' with prefix 'logs/'."
+            )
+            assert result[0].resource_id == "logging-enabled"
+            assert result[0].resource_name == "logging-enabled"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID
+
+    def test_bucket_with_logging_enabled_no_prefix(self):
+        cloudstorage_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_logging_enabled.cloudstorage_bucket_logging_enabled import (
+                cloudstorage_bucket_logging_enabled,
+            )
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_service import (
+                Bucket,
+            )
+
+            cloudstorage_client.project_ids = [GCP_PROJECT_ID]
+            cloudstorage_client.region = GCP_US_CENTER1_LOCATION
+
+            cloudstorage_client.buckets = [
+                Bucket(
+                    name="logging-enabled-no-prefix",
+                    id="logging-enabled-no-prefix",
+                    region=GCP_US_CENTER1_LOCATION,
+                    uniform_bucket_level_access=True,
+                    public=False,
+                    retention_policy=None,
+                    project_id=GCP_PROJECT_ID,
+                    lifecycle_rules=[],
+                    versioning_enabled=True,
+                    soft_delete_enabled=True,
+                    logging_bucket="log-bucket",
+                    logging_prefix=None,
+                )
+            ]
+
+            check = cloudstorage_bucket_logging_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Bucket {cloudstorage_client.buckets[0].name} has Usage and Storage Logs enabled. Logs are stored in bucket 'log-bucket' with default prefix."
+            )
+            assert result[0].resource_id == "logging-enabled-no-prefix"
+            assert result[0].resource_name == "logging-enabled-no-prefix"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID