ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(gcp): enhance metadata for compute service (#9641)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2026-02-13 14:29:38 +01:00
committed by GitHub
parent 9da0b0c0b1
commit 941f9b7e0b
31 changed files with 293 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
prowler/CHANGELOG.md
View File

@@ -25,8 +25,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Parallelize Cloudflare zone API calls with threading to improve scan performance [(#9982)](https://github.com/prowler-cloud/prowler/pull/9982)
- Update GCP API Keys service metadata to new format [(#9637)](https://github.com/prowler-cloud/prowler/pull/9637)
- Update GCP BigQuery service metadata to new format [(#9638)](https://github.com/prowler-cloud/prowler/pull/9638)
- Update GCP Cloud Storage service metadata to new format [(#9640)](https://github.com/prowler-cloud/prowler/pull/9640)
- Update GCP Cloud SQL service metadata to new format [(#9639)](https://github.com/prowler-cloud/prowler/pull/9639)
- Update GCP Cloud Storage service metadata to new format [(#9640)](https://github.com/prowler-cloud/prowler/pull/9640)
- Update GCP Compute Engine service metadata to new format [(#9641)](https://github.com/prowler-cloud/prowler/pull/9641)
### 🔐 Security

23
prowler/providers/gcp/services/compute/compute_firewall_rdp_access_from_the_internet_allowed/compute_firewall_rdp_access_from_the_internet_allowed.metadata.json
View File

@@ -1,27 +1,30 @@
{
"Provider": "gcp",
"CheckID": "compute_firewall_rdp_access_from_the_internet_allowed",
"CheckTitle": "Ensure That RDP Access Is Restricted From the Internet",
"CheckTitle": "Firewall rule does not allow ingress from 0.0.0.0/0 to TCP port 3389 (RDP)",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "FirewallRule",
"ResourceGroup": "network",
"Description": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.",
"Risk": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.",
"ResourceType": "compute.googleapis.com/Firewall",
"Description": "**VPC firewall rules** permitting inbound **RDP** (`TCP 3389`) from `0.0.0.0/0` are flagged, including ingress rules that allow all TCP ports or `all` protocols",
"Risk": "Exposed **RDP** enables Internet-wide scanning and **brute force**. Exploits can yield **remote code execution**, followed by **lateral movement** and data theft.\n\nThis endangers **confidentiality**, **integrity**, and **availability** (e.g., ransomware, service disruption).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/vpc/docs/using-firewalls",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute firewall-rules delete default-allow-rdp",
"CLI": "gcloud compute firewall-rules delete <FIREWALL_RULE_NAME>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform"
"Other": "1. In Google Cloud Console, go to Networking > VPC network > Firewall.\n2. Find the ingress rule that allows TCP port 3389 with Source IPv4 ranges set to 0.0.0.0/0.\n3. Select the rule and click Delete, then confirm.",
"Terraform": "```hcl\nresource \"google_compute_firewall\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n network = \"<example_resource_id>\"\n\n allow {\n protocol = \"tcp\"\n ports = [\"3389\"]\n }\n\n source_ranges = [\"10.0.0.0/8\"] # CRITICAL: removes 0.0.0.0/0 so RDP is not exposed to the Internet\n}\n```"
},
"Recommendation": {
"Text": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.",
"Url": "https://cloud.google.com/vpc/docs/using-firewalls"
"Text": "Restrict **RDP** to trusted IP ranges or a hardened **bastion/IAP** proxy; prefer private access with no public IPs. Apply **least privilege** and network segmentation, use just-in-time access and strong authentication, and monitor logs. Aim for **defense in depth** to minimize exposure.",
"Url": "https://hub.prowler.com/check/compute_firewall_rdp_access_from_the_internet_allowed"
}
},
"Categories": [

23
prowler/providers/gcp/services/compute/compute_firewall_ssh_access_from_the_internet_allowed/compute_firewall_ssh_access_from_the_internet_allowed.metadata.json
View File

@@ -1,27 +1,30 @@
{
"Provider": "gcp",
"CheckID": "compute_firewall_ssh_access_from_the_internet_allowed",
"CheckTitle": "Ensure That SSH Access Is Restricted From the Internet",
"CheckTitle": "Firewall does not expose TCP port 22 (SSH) to the Internet",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "FirewallRule",
"ResourceGroup": "network",
"Description": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the internet to VPC or VM instance using `SSH` on `Port 22` can be avoided.",
"Risk": "Exposing Secure Shell (SSH) port 22 to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and brute-force attacks.",
"ResourceType": "compute.googleapis.com/Firewall",
"Description": "**VPC firewall rules** allowing Internet-sourced **ingress** (`0.0.0.0/0`) to `TCP port 22 (SSH)` are identified, including rules using protocol `all` or `tcp` whose ports or ranges include `22`.",
"Risk": "Exposed **SSH (22)** enables Internet-wide scanning, **brute force** and **credential stuffing**. Compromise can yield shell access for **data exfiltration**, command execution, and **lateral movement**, undermining **confidentiality** and **integrity**, and risking **availability** through abuse or lockouts.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/vpc/docs/using-firewalls",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/unrestricted-ssh-access.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute firewall-rules delete default-allow-ssh",
"CLI": "gcloud compute firewall-rules update <example_resource_name> --source-ranges=<TRUSTED_CIDR>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-ssh-access.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_1#terraform"
"Other": "1. In Google Cloud Console, go to Networking > VPC network > Firewall\n2. Locate the INGRESS rule that allows tcp:22 with Source IPv4 ranges set to 0.0.0.0/0 and open it\n3. Click Edit\n4. Replace Source IPv4 ranges from 0.0.0.0/0 to your trusted CIDR (e.g., <TRUSTED_CIDR>)\n5. Click Save",
"Terraform": "```hcl\nresource \"google_compute_firewall\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n network = \"<example_resource_id>\"\n\n source_ranges = [\"<TRUSTED_CIDR>\"] # Critical: removes 0.0.0.0/0 to stop exposing SSH to the Internet\n\n allow {\n protocol = \"tcp\" # Critical: limit to SSH only\n ports = [\"22\"]\n }\n}\n```"
},
"Recommendation": {
"Text": "Check your Google Cloud Virtual Private Cloud (VPC) firewall rules for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 and restrict the access to trusted IP addresses or IP ranges only in order to implement the principle of least privilege and reduce the attack surface. TCP port 22 is used for secure remote login by connecting an SSH client application with an SSH server. It is strongly recommended to configure your Google Cloud VPC firewall rules to limit inbound traffic on TCP port 22 to known IP addresses only.",
"Url": "https://cloud.google.com/vpc/docs/using-firewalls"
"Text": "Restrict **SSH** to trusted sources; avoid `0.0.0.0/0`. Prefer **bastion hosts** or **IAP TCP forwarding**, or use **VPN/peering**. Enforce **least privilege** and **defense in depth**: limit to required CIDRs, use **key-based auth**, disable `PasswordAuthentication`, and monitor/alert on access attempts.",
"Url": "https://hub.prowler.com/check/compute_firewall_ssh_access_from_the_internet_allowed"
}
},
"Categories": [

3
prowler/providers/gcp/services/compute/compute_image_not_publicly_shared/compute_image_not_publicly_shared.metadata.json
View File

@@ -13,8 +13,7 @@
"Risk": "Publicly shared disk images can expose **sensitive data** and application configurations to unauthorized users.\n\n- Any authenticated GCP user can access the image content\n- Could lead to **data breaches** if images contain secrets or proprietary code\n- Attackers may use exposed images to understand application architecture",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/images/managing-access-custom-images",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/publicly-shared-disk-images.html"
"https://cloud.google.com/compute/docs/images/managing-access-custom-images"
],
"Remediation": {
"Code": {

1
prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.metadata.json
View File

@@ -13,7 +13,6 @@
"Risk": "VM instances without Automatic Restart enabled will not recover automatically from host maintenance events or unexpected failures, potentially leading to prolonged service downtime and requiring manual intervention to restore services.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-automatic-restart.html",
"https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options"
],
"Remediation": {

28
prowler/providers/gcp/services/compute/compute_instance_block_project_wide_ssh_keys_disabled/compute_instance_block_project_wide_ssh_keys_disabled.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_block_project_wide_ssh_keys_disabled",
"CheckTitle": "Ensure “Block Project-Wide SSH Keys” Is Enabled for VM Instances",
"CheckTitle": "VM instance has Block project-wide SSH keys enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.",
"Risk": "Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Compute Engine VMs** are evaluated for the metadata key `block-project-ssh-keys` set to `true`, indicating **project-wide SSH keys** are blocked and only instance-level or OS Login credentials are honored.",
"Risk": "Allowing **project-wide SSH keys** lets a single compromised key reach many VMs, amplifying blast radius. This endangers **confidentiality** (data exposure) and **integrity** (unauthorized changes) and enables **lateral movement**. Per-instance revocation and accountability are weakened.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/enable-block-project-wide-ssh-keys.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-projectssh-keys=TRUE",
"CLI": "gcloud compute instances add-metadata <INSTANCE_NAME> --zone <ZONE> --metadata=block-project-ssh-keys=true",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-block-project-wide-ssh-keys.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_8#terraform"
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Click the target VM and then click Edit\n3. Under Custom metadata, click Add item\n4. Key: block-project-ssh-keys, Value: true\n5. Click Save",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"vm\" {\n name = \"<example_resource_name>\"\n zone = \"<ZONE>\"\n machine_type = \"e2-micro\"\n\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-12\"\n }\n }\n\n network_interface {\n network = \"default\"\n }\n\n metadata = {\n block-project-ssh-keys = \"true\" # Critical: blocks project-wide SSH keys for this VM\n }\n}\n```"
},
"Recommendation": {
"Text": "It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.",
"Url": "https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys"
"Text": "Set `block-project-ssh-keys=true` to prevent shared key inheritance. Prefer **OS Login** or instance-specific keys, enforce **least privilege** and **separation of duties** for metadata changes, use **short-lived credentials** with rotation, limit direct SSH, and monitor access for anomalies.",
"Url": "https://hub.prowler.com/check/compute_instance_block_project_wide_ssh_keys_disabled"
}
},
"Categories": [],
"Categories": [
"identity-access",
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

25
prowler/providers/gcp/services/compute/compute_instance_confidential_computing_enabled/compute_instance_confidential_computing_enabled.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_confidential_computing_enabled",
"CheckTitle": "Ensure Compute Instances Have Confidential Computing Enabled",
"CheckTitle": "Compute instance has Confidential Computing enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "Ensure that the Confidential Computing security feature is enabled for your Google Cloud virtual machine (VM) instances in order to add protection to your sensitive data in use by keeping it encrypted in memory and using encryption keys that Google doesn't have access to. Confidential Computing is a breakthrough technology which encrypts data while it is being processed. This technology keeps data encrypted in memory, outside the CPU.",
"Risk": "Confidential Computing keeps your sensitive data encrypted while it is used, indexed, queried, or trained on, and does not allow Google to access the encryption keys (these keys are generated in hardware, per VM instance, and can't be exported). In this way, the Confidential Computing feature can help alleviate concerns about risk related to either dependency on Google Cloud infrastructure or Google insiders' access to your data in the clear.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Google Compute Engine VMs** configured as **Confidential VMs** encrypt data in use with hardware-based memory protection and per-instance keys.\n\nThis assessment identifies whether **Confidential Computing** is enabled on each VM instance.",
"Risk": "Absent **Confidential Computing**, plaintext data in RAM can be exposed via host introspection, hypervisor compromise, or cold-boot/DMA attacks, undermining **confidentiality** and enabling **in-memory tampering** that impacts **integrity** of computations, models, and secrets.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/confidential-computing.html",
"https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance:https://cloud.google.com/compute/confidential-vm/docs/about-cvm:https://cloud.google.com/confidential-computing:https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/confidential-computing.html",
"Terraform": ""
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Select <instance> and click Stop\n3. Click Edit\n4. Under Confidential VM service, check Enable Confidential VM service\n5. If the option is unavailable, change Machine series to a supported one (e.g., N2D) and select a type\n6. Click Save, then click Start to power on the instance",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"n2d-standard-2\" # Supported for Confidential VM\n zone = \"<ZONE>\"\n\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-12\"\n }\n }\n\n network_interface {}\n\n # Critical: Enables Confidential Computing on the VM\n confidential_instance_config {\n enable_confidential_compute = true # Turns on Confidential VM\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that the Confidential Computing security feature is enabled for your Google Cloud virtual machine (VM) instances in order to add protection to your sensitive data in use by keeping it encrypted in memory and using encryption keys that Google doesn't have access to. Confidential Computing is a breakthrough technology which encrypts data while it is being processed. This technology keeps data encrypted in memory, outside the CPU.",
"Url": "https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance:https://cloud.google.com/compute/confidential-vm/docs/about-cvm:https://cloud.google.com/confidential-computing:https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms"
"Text": "Enable **Confidential VMs** for workloads processing sensitive data to protect data-in-use. Apply **defense in depth**: enforce **least privilege** on administrative access, use disk encryption with `CMEK`, and require workload attestation/trusted images. *If unsupported*, isolate or refactor workloads to compatible options.",
"Url": "https://hub.prowler.com/check/compute_instance_confidential_computing_enabled"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

29
prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use/compute_instance_default_service_account_in_use.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_default_service_account_in_use",
"CheckTitle": "Ensure That Instances Are Not Configured To Use the Default Service Account",
"CheckTitle": "Compute Engine instance does not use the default service account",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.",
"Risk": "The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. This can lead to a privilege escalations if your VM is compromised allowing an attacker gaining access to all of your project",
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/default-service-accounts-in-use.html",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Compute Engine VMs** are evaluated for use of the **default service account** (`[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`). The finding highlights instances configured with that account rather than a workload-specific service account. *GKE node VMs are ignored.*",
"Risk": "Using the default service account often grants project-wide rights (e.g., `roles/editor`). If a VM is compromised, metadata tokens can be abused to read/modify resources, exfiltrate data, and pivot across services, impacting **confidentiality** and **integrity**, and potentially **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/iam/docs/granting-changing-revoking-access",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/default-service-accounts-in-use.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute instances set-service-account <INSTANCE_NAME> --service-account=<SERVICE_ACCOUNT_EMAIL>",
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_1",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_1#terraform"
"Other": "1. In Google Cloud console, go to Compute Engine > VM instances\n2. Click the VM, then click Stop and wait until it is stopped\n3. Click Edit\n4. Under Service account, select a non-default service account (not ending with \"-compute@developer.gserviceaccount.com\")\n5. Click Save, then click Start to power the VM back on\n6. If no suitable service account exists: IAM & Admin > Service Accounts > Create service account, grant only required roles, then repeat steps 2-5",
"Terraform": "```hcl\n# Create a non-default service account\nresource \"google_service_account\" \"<example_resource_name>\" {\n account_id = \"<example_resource_id>\" # CRITICAL: custom SA to avoid default \"-compute@developer.gserviceaccount.com\"\n}\n\n# Attach the non-default service account to the VM\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-micro\"\n zone = \"<ZONE>\"\n\n boot_disk { initialize_params { image = \"debian-cloud/debian-12\" } }\n network_interface { network = \"default\" }\n\n service_account {\n email = google_service_account.<example_resource_name>.email # CRITICAL: use non-default SA so the check passes\n }\n}\n```"
},
"Recommendation": {
"Text": "To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account. Instead, you should create a new service account and assigning only the permissions needed by your instance. The default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.",
"Url": "https://cloud.google.com/iam/docs/granting-changing-revoking-access"
"Text": "Avoid the default service account. Create per-workload service accounts and grant only required roles under **least privilege** and **separation of duties**. Remove broad roles like `roles/editor`. Prefer short-lived credentials and monitor service account usage to enforce **defense in depth**.",
"Url": "https://hub.prowler.com/check/compute_instance_default_service_account_in_use"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

27
prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use_with_full_api_access/compute_instance_default_service_account_in_use_with_full_api_access.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_default_service_account_in_use_with_full_api_access",
"CheckTitle": "Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs",
"CheckTitle": "Compute Engine instance does not use the default service account with full access to all Cloud APIs",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.",
"Risk": "When an instance is configured with `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`, based on IAM roles assigned to the user(s) accessing Instance, it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Compute Engine VM instances** using the **default service account** with the `cloud-platform` scope (`Allow full access to all Cloud APIs`) are identified. *GKE nodes are excluded.*",
"Risk": "With full API scope, any code on the VM can obtain tokens and, combined with the service account's roles, call broad Google Cloud APIs. This enables **privilege escalation**, **data exfiltration**, unauthorized config changes, and service disruption, impacting **confidentiality, integrity, and availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/iam/docs/granting-changing-revoking-access",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/default-service-accounts-with-full-access-in-use.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute instances set-service-account <INSTANCE_NAME> --service-account=<SERVICE_ACCOUNT_EMAIL> --scopes [<SCOPE1>,<SCOPE2>,...]",
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/default-service-accounts-with-full-access-in-use.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_2#terraform"
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Click the affected VM\n3. Click Stop and confirm\n4. Click Edit\n5. Under Service account, select a non-default service account (not <project-number>-compute@developer.gserviceaccount.com) OR change Cloud API access scopes to not use \"Allow full access to all Cloud APIs\" (use Default access or select specific APIs)\n6. Click Save\n7. Click Start to restart the VM",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-micro\"\n zone = \"us-central1-a\"\n\n boot_disk { initialize_params { image = \"debian-cloud/debian-12\" } }\n network_interface { network = \"default\" }\n\n service_account {\n email = \"<example_service_account_email>\" # FIX: use a non-default service account to avoid the default SA\n scopes = [\"https://www.googleapis.com/auth/devstorage.read_only\"] # FIX: avoid cloud-platform (full API access)\n }\n}\n```"
},
"Recommendation": {
"Text": "To enforce the principle of least privileges and prevent potential privilege escalation, ensure that your Google Compute Engine instances are not configured to use the default service account with the Cloud API access scope set to \"Allow full access to all Cloud APIs\". The principle of least privilege (POLP), also known as the principle of least authority, is the security concept of giving the user/system/service the minimal set of permissions required to successfully perform its tasks.",
"Url": "https://cloud.google.com/iam/docs/granting-changing-revoking-access"
"Text": "Use a **custom, least-privileged service account** per VM and avoid the default account. Restrict Cloud API scopes-prefer minimal or per-API scopes, not `Allow full access to all Cloud APIs`. Enforce **least privilege** and **separation of duties**, and regularly review roles to remove excessive permissions.",
"Url": "https://hub.prowler.com/check/compute_instance_default_service_account_in_use_with_full_api_access"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

3
prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.metadata.json
View File

@@ -13,8 +13,7 @@
"Risk": "Without deletion protection enabled, VM instances are vulnerable to **accidental deletion** by users with sufficient permissions.\n\nThis could result in:\n- **Service disruption** and downtime for critical applications\n- **Data loss** if persistent disks are also deleted\n- **Recovery delays** while recreating instances and restoring configurations",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-deletion-protection.html"
"https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion"
],
"Remediation": {
"Code": {

3
prowler/providers/gcp/services/compute/compute_instance_disk_auto_delete_disabled/compute_instance_disk_auto_delete_disabled.metadata.json
View File

@@ -12,8 +12,7 @@
"Risk": "With auto-delete enabled, persistent disks are automatically deleted when the associated VM instance is terminated.\n\nThis could result in:\n- **Permanent data loss** if the instance is accidentally or intentionally deleted\n- **Recovery challenges** for mission-critical workloads\n- **Compliance violations** where data retention is required",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/disks/add-persistent-disk",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-auto-delete.html"
"https://cloud.google.com/compute/docs/disks/add-persistent-disk"
],
"Remediation": {
"Code": {

23
prowler/providers/gcp/services/compute/compute_instance_encryption_with_csek_enabled/compute_instance_encryption_with_csek_enabled.metadata.json
View File

@@ -1,27 +1,30 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_encryption_with_csek_enabled",
"CheckTitle": "Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)",
"CheckTitle": "VM instance has all disks encrypted with Customer-Supplied Encryption Keys (CSEK)",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Disks",
"ResourceGroup": "storage",
"Description": "Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.",
"Risk": "By default, Compute Engine service encrypts all data at rest. The cloud service manages this type of encryption without any additional actions from you and your application. However, if you want to fully control and manage instance disk encryption, you can provide your own encryption keys.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "Compute Engine VM disks use **Customer-Supplied Encryption Keys** (`CSEK`) rather than provider-managed keys. The finding flags instances where any attached disk is not protected with the customer-provided key.",
"Risk": "Without **CSEK**, encryption depends on provider-managed keys, reducing control over key lifecycle and access. This weakens confidentiality, impedes separation of duties, and can delay key revocation, increasing exposure to unauthorized data access and regulatory gaps.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/enable-encryption-with-csek.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute disks create <DISK_NAME> --size=<SIZE> --type=<TYPE> --zone=<ZONE> --source-snapshot=<SOURCE_SNAPSHOT> --csek-key-file=<KEY_FILE>",
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-encryption-with-csek.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/bc_gcp_general_x#terraform"
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Click Create instance (you must recreate VMs to use CSEK on boot disks)\n3. In Boot disk, click Change\n4. Expand Encryption and select Customer-supplied key\n5. Paste your base64-encoded 256-bit key and click Select\n6. If adding additional disks: in Additional disks, add a disk and set Encryption to Customer-supplied key with the same key\n7. Click Create to launch the VM with all disks encrypted using CSEK\n8. Migrate workload from the old VM and delete it when done",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-medium\"\n zone = \"<example_zone>\"\n\n boot_disk {\n initialize_params { image = \"debian-cloud/debian-12\" }\n # Critical: enables Customer-Supplied Encryption Key (CSEK) for the boot disk\n disk_encryption_key { raw_key = \"<BASE64_32BYTE_KEY>\" } # base64-encoded AES-256 key\n }\n\n network_interface { network = \"default\" }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that the disks attached to your production Google Compute Engine instances are encrypted with Customer-Supplied Encryption Keys (CSEKs) in order to have complete control over the data-at-rest encryption and decryption process, and meet strict compliance requirements. These custom keys, also known as Customer-Supplied Encryption Keys (CSEKs), are used by Google Compute Engine to protect the Google-generated keys used to encrypt and decrypt your instance data. Compute Engine service does not store your CSEKs on its servers and cannot access your protected data unless you provide the required key.",
"Url": "https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys"
"Text": "Use **CSEK** for VM disks that require full control over data-at-rest keys. Apply **least privilege** to key custodians, store keys in hardened vaults/HSMs, enforce rotation and rapid revocation, and document recovery procedures. Combine with **defense in depth** (network and IAM controls) to limit blast radius.",
"Url": "https://hub.prowler.com/check/compute_instance_encryption_with_csek_enabled"
}
},
"Categories": [

3
prowler/providers/gcp/services/compute/compute_instance_group_autohealing_enabled/compute_instance_group_autohealing_enabled.metadata.json
View File

@@ -13,8 +13,7 @@
"Risk": "Without autohealing, MIGs cannot detect application-level failures such as crashes, freezes, or memory issues. Instances that are technically running but experiencing problems will remain undetected and unreplaced, leading to:\n\n- **Service degradation** from unhealthy instances\n- **Extended downtime** during application failures\n- **Manual intervention** required to detect and replace failed instances",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instance-groups/autohealing-instances-in-migs",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-instance-group-autohealing.html"
"https://cloud.google.com/compute/docs/instance-groups/autohealing-instances-in-migs"
],
"Remediation": {
"Code": {

3
prowler/providers/gcp/services/compute/compute_instance_group_load_balancer_attached/compute_instance_group_load_balancer_attached.metadata.json
View File

@@ -14,8 +14,7 @@
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instance-groups",
"https://cloud.google.com/load-balancing/docs/backend-service",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/mig-load-balancer-check.html"
"https://cloud.google.com/load-balancing/docs/backend-service"
],
"Remediation": {
"Code": {

29
prowler/providers/gcp/services/compute/compute_instance_ip_forwarding_is_enabled/compute_instance_ip_forwarding_is_enabled.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_ip_forwarding_is_enabled",
"CheckTitle": "Ensure That IP Forwarding Is Not Enabled on Instances",
"CheckTitle": "Compute Engine VM instance has IP forwarding disabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure.",
"Risk": "When the IP Forwarding feature is enabled on a virtual machine's network interface (NIC), it allows the VM to act as a router and receive traffic addressed to other destinations. ",
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-ip-forwarding.html",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Compute Engine VM instances** with `canIpForward` enabled are identified. This setting allows a VM to process packets not addressed to its own IP.\n\nInstances created by GKE (`gke-` prefix) are excluded from this evaluation.",
"Risk": "With **IP forwarding** a VM can route traffic for other addresses. If compromised, it can:\n- Spoof or tamper flows (**integrity**)\n- Intercept/redirect internal traffic (**confidentiality**)\n- Mask egress for exfiltration and enable lateral movement, degrading **availability**",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instances/create-start-instance",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/disable-ip-forwarding.html"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "gcloud compute instances update-from-file <example_resource_name> --zone <ZONE> --source=<PATH_TO_CONFIG_WITH_canIpForward_false> --most-disruptive-allowed-action=RESTART",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_12",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_12#terraform"
"Other": "1. In Google Cloud console, go to Compute Engine > VM instances and select the VM (exclude names starting with gke-)\n2. Click Delete to remove the instance with IP forwarding enabled\n3. Click Create instance\n4. Expand Networking > Network interfaces > Edit and ensure IP forwarding is Off (default)\n5. Click Create",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-micro\"\n zone = \"<ZONE>\"\n\n can_ip_forward = false # Critical: disables IP forwarding to pass the check\n\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-12\"\n }\n }\n\n network_interface {\n network = \"default\"\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that IP Forwarding feature is not enabled at the Google Compute Engine instance level for security and compliance reasons, as instances with IP Forwarding enabled act as routers/packet forwarders. Because IP forwarding is rarely required, except when the virtual machine (VM) is used as a network virtual appliance, each Google Cloud VM instance should be reviewed in order to decide whether the IP forwarding is really needed for the verified instance. IP Forwarding is enabled at the VM instance level and applies to all network interfaces (NICs) attached to the instance. In addition, Instances created by GKE should be excluded from this recommendation because they need to have IP forwarding enabled and cannot be changed. Instances created by GKE have names that start with \"gke- \".",
"Url": "https://cloud.google.com/compute/docs/instances/create-start-instance"
"Text": "Disable **IP forwarding** on general-purpose VMs and allow it only for vetted **network appliances**, following **least privilege**.\n\nEnforce **network segmentation**, restrict routes, review exceptions regularly, and monitor egress to uphold **defense in depth**. *Exclude platform-managed nodes that require forwarding.*",
"Url": "https://hub.prowler.com/check/compute_instance_ip_forwarding_is_enabled"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

1
prowler/providers/gcp/services/compute/compute_instance_on_host_maintenance_migrate/compute_instance_on_host_maintenance_migrate.metadata.json
View File

@@ -13,7 +13,6 @@
"Risk": "VM instances configured with On Host Maintenance set to `TERMINATE` will be shut down during host maintenance events, causing **service interruptions** and **unplanned downtime**. This can impact application availability and may require manual intervention to restart services.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/configure-maintenance-behavior.html",
"https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options"
],
"Remediation": {

3
prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.metadata.json
View File

@@ -14,8 +14,7 @@
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instances/preemptible",
"https://cloud.google.com/compute/docs/instances/spot",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-preemptibility.html"
"https://cloud.google.com/compute/docs/instances/spot"
],
"Remediation": {
"Code": {

22
prowler/providers/gcp/services/compute/compute_instance_public_ip/compute_instance_public_ip.metadata.json
View File

@@ -1,27 +1,29 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_public_ip",
"CheckTitle": "Check for Virtual Machine Instances with Public IP Addresses",
"CheckTitle": "VM instance does not have a public IP address",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "Check for Virtual Machine Instances with Public IP Addresses",
"Risk": "To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Compute Engine VM instances** with an assigned **external (public) IP address** on any network interface are identified.\n\nInstances without an external IP are considered internal-only.",
"Risk": "**Internet-exposed VMs** face automated scanning, **brute force**, and **remote exploit** attempts.\n\nCompromise can enable **data exfiltration**, **service account abuse**, and **lateral movement** within the VPC, while public endpoints invite **DDoS**, degrading availability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instances/connecting-to-instance"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "gcloud compute instances delete-access-config <example_resource_name> --access-config-name=\"External NAT\" --zone=<example_resource_zone>",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-public-policies/bc_gcp_public_2",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-public-policies/bc_gcp_public_2#terraform"
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Click the VM name\n3. Click Edit\n4. Under Network interfaces, set External IP to None\n5. Click Save",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-micro\"\n zone = \"<example_resource_zone>\"\n\n boot_disk {\n initialize_params { image = \"debian-cloud/debian-11\" }\n }\n\n network_interface {\n network = \"default\" # Critical: no access_config block -> no public IP\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that your Google Compute Engine instances are not configured to have external IP addresses in order to minimize their exposure to the Internet.",
"Url": "https://cloud.google.com/compute/docs/instances/connecting-to-instance"
"Text": "Adopt **private-only VMs** and remove external IPs.\n- Place workloads behind **load balancers** or **reverse proxies**\n- Use **Cloud NAT** for egress; admin access via **IAP**, **VPN**, or a hardened **bastion**\n- Apply **least privilege** firewall rules and network segmentation for **defense in depth**",
"Url": "https://hub.prowler.com/check/compute_instance_public_ip"
}
},
"Categories": [

25
prowler/providers/gcp/services/compute/compute_instance_serial_ports_in_use/compute_instance_serial_ports_in_use.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_serial_ports_in_use",
"CheckTitle": "Ensure Enable Connecting to Serial Ports Is Not Enabled for VM Instance",
"CheckTitle": "VM instance has 'Enable Connecting to Serial Ports' disabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.",
"Risk": "If you enable the interactive serial console on your VM instance, clients can attempt to connect to your instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "**Compute Engine VM instance** with the **interactive serial console** enabled via metadata `serial-port-enable` (`1`/`true`). Instances with this flag disabled do not allow interactive serial console connections.",
"Risk": "Enabling the **serial console** creates **out-of-band access** that can bypass network controls. Abuse can grant low-level OS interaction, expose sensitive boot logs, alter configuration, or disrupt services, degrading **confidentiality**, **integrity**, and **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/disable-interactive-serial-console-support.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=false",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-interactive-serial-console-support.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_11#terraform"
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Click the target VM name, then click Edit\n3. Uncheck \"Enable connecting to serial ports\"\n4. Click Save",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-micro\"\n zone = \"us-central1-a\"\n\n boot_disk {\n initialize_params { image = \"debian-cloud/debian-12\" }\n }\n\n network_interface { network = \"default\" }\n\n metadata = {\n serial-port-enable = \"false\" # Critical: disables connecting to serial ports to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that \"Enable connecting to serial ports\" configuration setting is disabled for all your production Google Compute Engine instances. A Google Cloud virtual machine (VM) instance has 4 virtual serial ports. On your VM instances, the operating system (OS), BIOS, and other system-level entities write often output data to the serial ports and can accept input, such as commands or answers, to prompts. Usually, these system-level entities use the first serial port (Port 1) and Serial Port 1 is often referred to as the interactive serial console. This interactive serial console does not support IP-based access restrictions such as IP address whitelists. To adhere to cloud security best practices and reduce the risk of unauthorized access, interactive serial console support should be disabled for all instances used in production.",
"Url": "https://cloud.google.com/compute"
"Text": "Disable the **interactive serial console** on production VMs (`serial-port-enable=false`). Use it only for *break-glass* cases. Enforce **least privilege** for console roles, prefer controlled access paths (IAP/SSH or session tools), and monitor access. Apply **defense in depth** to reduce alternate entry points.",
"Url": "https://hub.prowler.com/check/compute_instance_serial_ports_in_use"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

27
prowler/providers/gcp/services/compute/compute_instance_shielded_vm_enabled/compute_instance_shielded_vm_enabled.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_instance_shielded_vm_enabled",
"CheckTitle": "Ensure Compute Instances Are Launched With Shielded VM Enabled",
"CheckTitle": "Compute instance has vTPM and Integrity Monitoring enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"ResourceGroup": "compute",
"Description": "To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.",
"Risk": "Whithout shielded VM enabled is not possible to defend against advanced threats and ensure that the boot loader and firmware on your Google Compute Engine instances are signed and untampered.",
"ResourceType": "compute.googleapis.com/Instance",
"Description": "Compute Engine VM instances have **vTPM** and **Integrity Monitoring** enabled as part of Shielded VM configuration.",
"Risk": "Without **vTPM** or **Integrity Monitoring**, boot integrity isn't verified. Attackers can persist **bootkits/rootkits**, alter firmware, and evade attestation, enabling covert control and data theft.\n- Integrity: compromised boot chain\n- Confidentiality: secrets bound to TPM exposed\n- Availability: malicious boot code can brick VMs",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/instances/modifying-shielded-vm",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/enable-shielded-vm.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute instances update <INSTANCE_NAME> --shielded-vtpm --shielded-vmintegrity-monitoring",
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-shielded-vm.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/bc_gcp_general_y#terraform"
"Other": "1. In Google Cloud Console, go to Compute Engine > VM instances\n2. Click the VM name\n3. Click Stop and wait for the VM to stop\n4. Click Edit\n5. In Shielded VM, enable vTPM and enable Integrity monitoring\n6. Click Save\n7. Click Start to start the VM",
"Terraform": "```hcl\nresource \"google_compute_instance\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n machine_type = \"e2-micro\"\n\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-11\"\n }\n }\n\n network_interface {\n network = \"default\"\n }\n\n shielded_instance_config {\n enable_vtpm = true # Critical: enable vTPM\n enable_integrity_monitoring = true # Critical: enable Integrity Monitoring\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that your Google Compute Engine instances are configured to use Shielded VM security feature for protection against rootkits and bootkits.Google Compute Engine service can enable 3 advanced security components for Shielded VM instances: 1. Virtual Trusted Platform Module (vTPM) - this component validates the guest virtual machine (VM) pre-boot and boot integrity, and provides key generation and protection. 2. Integrity Monitoring - lets you monitor and verify the runtime boot integrity of your shielded VM instances using Google Cloud Operations reports (also known as Stackdriver reports). 3. Secure boot helps - this security component protects your VM instances against boot-level and kernel-level malware and rootkits. To defend against advanced threats and ensure that the boot loader and firmware on your Google Compute Engine instances are signed and untampered, it is strongly recommended that your production instances are launched with Shielded VM enabled.",
"Url": "https://cloud.google.com/compute/docs/instances/modifying-shielded-vm"
"Text": "Enable **Shielded VM** with `vTPM` and **Integrity Monitoring** set to `enabled` on all VMs. Prefer **Secure Boot** where compatible. Enforce via hardened images/templates, apply **least privilege** to shielded settings, and monitor integrity results-supporting **defense in depth** and trusted boot.",
"Url": "https://hub.prowler.com/check/compute_instance_shielded_vm_enabled"
}
},
"Categories": [],
"Categories": [
"node-security"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

1
prowler/providers/gcp/services/compute/compute_instance_single_network_interface/compute_instance_single_network_interface.metadata.json
View File

@@ -13,7 +13,6 @@
"Risk": "Multiple network interfaces on a VM instance can:\n\n- **Expand attack surface** by providing additional entry points for unauthorized access\n- **Create unintended network paths** that bypass security controls\n- **Increase management complexity** leading to potential misconfigurations",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/vms-with-multiple-enis.html",
"https://cloud.google.com/vpc/docs/multiple-interfaces-concepts"
],
"Remediation": {

3
prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.metadata.json
View File

@@ -13,8 +13,7 @@
"Risk": "Persistent disks on suspended VM instances remain accessible through the GCP API and may contain **sensitive data**, creating potential security risks:\n\n- **Unauthorized data access** if credentials are compromised or permissions are misconfigured\n- **Data exposure** from forgotten infrastructure that is no longer actively monitored\n- **Security blind spots** where suspended resources are overlooked during security reviews and audits",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/icompute/docs/instances/suspend-resume-instance",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/persistent-disks-attached-to-suspended-vms.html"
"https://cloud.google.com/icompute/docs/instances/suspend-resume-instance"
],
"Remediation": {
"Code": {

30
prowler/providers/gcp/services/compute/compute_loadbalancer_logging_enabled/compute_loadbalancer_logging_enabled.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "gcp",
"CheckID": "compute_loadbalancer_logging_enabled",
"CheckTitle": "Ensure Logging is enabled for HTTP(S) Load Balancer",
"CheckTitle": "HTTP(S) load balancer has logging enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "LoadBalancer",
"ResourceGroup": "network",
"Description": "Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.",
"Risk": "HTTP(S) load balancing log entries contain information useful for monitoring and debugging web traffic. Google Cloud exports this logging data to Cloud Monitoring service so that monitoring metrics can be created to evaluate a load balancer's configuration, usage, and performance, troubleshoot problems, and improve resource utilization and user experience.",
"Severity": "high",
"ResourceType": "compute.googleapis.com/BackendService",
"Description": "**Application Load Balancer** (HTTP/S) backend services have **Cloud Logging for requests** enabled at the backend service level.\n\n*Only load balancers with a backend service support this setting.*",
"Risk": "Without **request logs**, visibility into HTTP(S) traffic is reduced, hindering detection of credential stuffing, path traversal, WAF bypass, and data exfiltration. This impacts **confidentiality** and **integrity**, and delays incident response; availability issues (surges in `5xx`) may go unnoticed.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring#gcloud:-global-mode",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLoadBalancing/https-load-balancer-logging-enabled.html",
"https://cloud.google.com/load-balancing/docs/l7-internal/monitoring"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute backend-services update <serviceName> --region=REGION --enable-logging --logging-sample-rate=<percentageAsADecimal>",
"CLI": "gcloud compute backend-services update <example_resource_name> --global --enable-logging",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLoadBalancing/enableLoad-balancing-backend-service-logging.html",
"Terraform": ""
"Other": "1. In Google Cloud Console, go to Networking > Load balancing\n2. Click your HTTP(S) load balancer, then click Edit\n3. Open Backend configuration and click Edit next to the backend service\n4. Check Enable logging\n5. Click Update (backend service), then Update (load balancer)\n6. Verify logs appear in Logs Explorer under Cloud HTTP Load Balancer",
"Terraform": "```hcl\nresource \"google_compute_backend_service\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n health_checks = [\"<example_health_check_self_link>\"]\n\n log_config {\n enable = true # Critical: enables logging on the backend service\n }\n}\n```"
},
"Recommendation": {
"Text": "Logging will allow you to view HTTPS network traffic to your web applications.",
"Url": "https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring#gcloud:-global-mode"
"Text": "Enable **request logging** on backend services with a risk-appropriate `sampleRate`; include key optional fields when needed. Export logs to monitoring for alerts and dashboards, enforce retention and integrity controls, and restrict access using **least privilege** and **defense in depth**.",
"Url": "https://hub.prowler.com/check/compute_loadbalancer_logging_enabled"
}
},
"Categories": [],
"Categories": [
"logging"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

31
prowler/providers/gcp/services/compute/compute_network_default_in_use/compute_network_default_in_use.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_network_default_in_use",
"CheckTitle": "Ensure that the default network does not exist",
"CheckTitle": "Project does not have a default VPC network",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Network",
"ResourceGroup": "network",
"Description": "Ensure that the default network does not exist",
"Risk": "The default network has a preconfigured network configuration and automatically generates insecure firewall rules.",
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/default-vpc-in-use.html",
"Severity": "medium",
"ResourceType": "compute.googleapis.com/Network",
"Description": "Projects are assessed for a **VPC network** named `default` (the pre-created, auto-mode network).",
"Risk": "Using the **default VPC** can weaken segmentation and expose services via **permissive firewall rules** (e.g., broad internal trust or public admin ports). This increases likelihood of **unauthorized access**, **lateral movement**, and data exfiltration, impacting **confidentiality** and **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/default-vpc-in-use.html",
"https://cloud.google.com/vpc/docs/using-vpc"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "gcloud compute networks delete default --quiet",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_7",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_7#terraform"
"Other": "1. In Google Cloud Console, go to Networking > VPC network > VPC networks\n2. Select the network named \"default\"\n3. Click Delete VPC network and confirm\n4. If deletion is blocked, remove or migrate any resources using the \"default\" network, then retry Delete",
"Terraform": "```hcl\n# Deletes the default VPC network to pass the check\nresource \"google_project_default_network\" \"<example_resource_name>\" {} # Ensures the 'default' network is removed\n```"
},
"Recommendation": {
"Text": "When an organization deletes the default network, it may need to migrate or service onto a new network.",
"Url": "https://cloud.google.com/vpc/docs/using-vpc"
"Text": "Prefer **custom VPCs** over `default`. Remove unused default networks and apply **least privilege** with explicit firewall rules, private connectivity, and workload-based segmentation. Enforce creation controls (e.g., org policy to skip default network) and use **defense in depth** with logging and monitoring.",
"Url": "https://hub.prowler.com/check/compute_network_default_in_use"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

27
prowler/providers/gcp/services/compute/compute_network_dns_logging_enabled/compute_network_dns_logging_enabled.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "gcp",
"CheckID": "compute_network_dns_logging_enabled",
"CheckTitle": "Enable Cloud DNS Logging for VPC Networks",
"CheckTitle": "VPC network has Cloud DNS logging enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Network",
"ResourceGroup": "network",
"Description": "Ensure that Cloud DNS logging is enabled for all your Virtual Private Cloud (VPC) networks using DNS server policies. Cloud DNS logging records queries that the name servers resolve for your Google Cloud VPC networks, as well as queries from external entities directly to a public DNS zone. Recorded queries can come from virtual machine (VM) instances, GKE containers running in the same VPC network, peering zones, or other Google Cloud resources provisioned within your VPC.",
"Risk": "Cloud DNS logging is disabled by default on each Google Cloud VPC network. By enabling monitoring of Cloud DNS logs, you can increase visibility into the DNS names requested by the clients within your VPC network. Cloud DNS logs can be monitored for anomalous domain names and evaluated against threat intelligence.",
"ResourceType": "compute.googleapis.com/Network",
"Description": "**VPC networks** are assessed for a **DNS policy** that enables **Cloud DNS query logging**. When present, resolvers record queries for the network from VMs, GKE, peering, and inbound forwarding, with entries written to Cloud Logging.",
"Risk": "Without **DNS query logs**, suspicious lookups (C2, DGA, DNS exfiltration) go unseen, reducing **confidentiality** and hindering **incident response**. Visibility gaps also hide misconfigurations and elevated `NXDOMAIN` rates that can impact the **availability** of name resolution.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/dns/docs/monitoring",
"https://docs.cloud.google.com/compute/docs/networking/monitor-dns-failures",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/dns-logging-for-vpcs.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/dns-logging-for-vpcs.html",
"Terraform": ""
"Other": "1. In the Google Cloud console, go to Cloud DNS > Policies\n2. If the VPC already has a policy: select the policy, click Edit, check Enable logging, click Save\n3. If there is no policy for the VPC: click Create policy, enter a name, check Enable logging, add the target VPC network, click Create",
"Terraform": "```hcl\nresource \"google_dns_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n enable_logging = true # CRITICAL: turns on DNS query logging for the policy\n\n networks {\n network_url = \"projects/<PROJECT_ID>/global/networks/<example_resource_name>\" # Attach to the target VPC\n }\n}\n```"
},
"Recommendation": {
"Text": "Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.",
"Url": "https://cloud.google.com/dns/docs/monitoring"
"Text": "Enable **Cloud DNS query logging** for all VPC networks via **DNS policies** and route logs to centralized analysis. Enforce **least privilege** on log access, set retention and sampling to manage cost, and add detections for malicious domains. Apply **defense in depth** with DNS response policies and egress controls.",
"Url": "https://hub.prowler.com/check/compute_network_dns_logging_enabled"
}
},
"Categories": [],
"Categories": [
"logging",
"forensics-ready"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

28
prowler/providers/gcp/services/compute/compute_network_not_legacy/compute_network_not_legacy.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "gcp",
"CheckID": "compute_network_not_legacy",
"CheckTitle": "Ensure Legacy Networks Do Not Exist",
"CheckTitle": "VPC network is not legacy",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Network",
"ResourceGroup": "network",
"Description": "In order to prevent use of legacy networks, a project should not have a legacy network configured. As of now, Legacy Networks are gradually being phased out, and you can no longer create projects with them. This recommendation is to check older projects to ensure that they are not using Legacy Networks.",
"Risk": "Google Cloud legacy networks have a single global IPv4 range which cannot be divided into subnets, and a single gateway IP address for the whole network. Legacy networks do not support several Google Cloud networking features such as subnets, alias IP ranges, multiple network interfaces, Cloud NAT (Network Address Translation), Virtual Private Cloud (VPC) Peering, and private access options for GCP services. Legacy networks are not recommended for high network traffic projects and are subject to a single point of contention or failure.",
"ResourceType": "compute.googleapis.com/Network",
"Description": "**Google Cloud networks** are evaluated for **legacy mode** (`subnet_mode: legacy`). The finding highlights networks using the older, non-subnetted design instead of **VPC with regional subnets**.",
"Risk": "Legacy networks lack subnets, peering, and private access. This reduces isolation and forces public IP paths, weakening **confidentiality** and enabling lateral movement/data exfiltration. Coarse controls and routing limits threaten **integrity**. A single global range and gateway create contention that can degrade **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/legacy-vpc-in-use.html",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/legacy-vpc-in-use.html#",
"https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute networks delete <LEGACY_NETWORK_NAME>",
"CLI": "gcloud beta compute networks update <LEGACY_NETWORK_NAME> --switch-to-custom-subnet-mode",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/legacy-vpc-in-use.html#",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/ensure-legacy-networks-do-not-exist-for-a-project#terraform"
"Other": "1. In Google Cloud Console, go to Networking > VPC network > VPC networks\n2. Find the network with Subnet creation mode showing Legacy\n3. Select it and click Delete VPC network\n4. Type the network name to confirm and click Delete",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure that your Google Cloud Platform (GCP) projects are not using legacy networks as this type of network is no longer recommended for production environments because it does not support advanced networking features. Instead, it is strongly recommended to use Virtual Private Cloud (VPC) networks for existing and future GCP projects.",
"Url": "https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network"
"Text": "Decommission legacy networks. Migrate to **custom-mode VPCs** with regional subnets and granular firewall policies. Apply **least privilege** segmentation, enable private access and **Cloud NAT** to avoid public exposure, and use peering or private connectivity for dependencies. *Plan and test migration to limit downtime*.",
"Url": "https://hub.prowler.com/check/compute_network_not_legacy"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

3
prowler/providers/gcp/services/compute/compute_project_os_login_2fa_enabled/compute_project_os_login_2fa_enabled.metadata.json
View File

@@ -13,8 +13,7 @@
"Risk": "Without 2FA enforcement, compromised credentials (stolen SSH keys or passwords) grant immediate access to VM instances. Attackers could:\n\n- Gain unauthorized shell access to production systems\n- Exfiltrate sensitive data or deploy malware\n- Move laterally within the infrastructure\n\nThis single point of failure significantly increases the attack surface.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/compute/docs/oslogin/set-up-oslogin",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-os-login-with-2fa-authentication.html"
"https://cloud.google.com/compute/docs/oslogin/set-up-oslogin"
],
"Remediation": {
"Code": {

25
prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "gcp",
"CheckID": "compute_project_os_login_enabled",
"CheckTitle": "Ensure Os Login Is Enabled for a Project",
"CheckTitle": "Project has OS Login enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "GCPProject",
"ResourceGroup": "governance",
"Description": "Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management.",
"Risk": "Enabling OS Login feature ensures that the SSH keys used to connect to VM instances are mapped with Google Cloud IAM users. Revoking access to corresponding IAM users will revoke all the SSH keys associated with these users, therefore it facilitates centralized SSH key pair management, which is extremely useful in handling compromised or stolen SSH key pairs and/or revocation of external/third-party/vendor users.",
"ResourceType": "compute.googleapis.com/Project",
"Description": "Project metadata has **OS Login** enabled (`enable-oslogin`), so VM SSH access uses IAM-linked Linux identities instead of static project or instance keys.",
"Risk": "Without **OS Login**, SSH relies on static metadata keys that are hard to rotate and revoke. Leaked or orphaned keys can retain VM access, enabling unauthorized commands, data exfiltration, and lateral movement-impacting **confidentiality** and **integrity** and weakening accountability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/enable-os-login.html",
"https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance:https://cloud.google.com/compute/confidential-vm/docs/about-cvm:https://cloud.google.com/confidential-computing:https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-os-login.html",
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_9#terraform"
"Other": "1. In Google Cloud Console, select your project\n2. Go to Compute Engine > Metadata\n3. Click Edit > Add item\n4. Set Key to enable-oslogin and Value to TRUE\n5. Click Save",
"Terraform": "```hcl\nresource \"google_compute_project_metadata_item\" \"<example_resource_name>\" {\n # Critical: this key/value enables OS Login at the project level\n key = \"enable-oslogin\"\n value = \"TRUE\"\n}\n```"
},
"Recommendation": {
"Text": "Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management.",
"Url": "https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance:https://cloud.google.com/compute/confidential-vm/docs/about-cvm:https://cloud.google.com/confidential-computing:https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms"
"Text": "Enable **OS Login** at the project level to centralize SSH through **IAM**.\n- Apply **least privilege** to OS Login roles\n- Remove metadata SSH keys\n- Enforce MFA and short-lived credentials\n- Monitor login activity and add network restrictions for **defense in depth**",
"Url": "https://hub.prowler.com/check/compute_project_os_login_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

26
prowler/providers/gcp/services/compute/compute_public_address_shodan/compute_public_address_shodan.metadata.json
View File

@@ -1,29 +1,27 @@
{
"Provider": "gcp",
"CheckID": "compute_public_address_shodan",
"CheckTitle": "Check if any of the Public Addresses are in Shodan (requires Shodan API KEY).",
"CheckType": [
"Infrastructure Security"
],
"CheckTitle": "Public IP address is not listed in Shodan",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "GCPComputeAddress",
"ResourceGroup": "network",
"Description": "Check if any of the Public Addresses are in Shodan (requires Shodan API KEY).",
"Risk": "Sites like Shodan index exposed systems and further expose them to wider audiences as a quick way to find exploitable systems.",
"Severity": "medium",
"ResourceType": "compute.googleapis.com/Address",
"Description": "**Compute Engine** public IP addresses are cross-checked with **Shodan** to identify Internet-exposed hosts that have been indexed, including observed open ports and metadata.\n\n*Only `EXTERNAL` addresses are evaluated.*",
"Risk": "Being listed in **Shodan** indicates an Internet-reachable host with identifiable services. Adversaries can quickly enumerate ports, run brute-force or exploit scans, and weaponize misconfigurations, leading to data exposure (C), service tampering (I), and outages from abuse or DDoS (A).",
"RelatedUrl": "",
"AdditionalURLs": [],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "gcloud compute addresses delete <example_resource_name> --region <REGION>",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"Other": "1. In the Google Cloud Console, go to: VPC network > IP addresses > External\n2. Find the public IP shown in the finding\n3. If it is attached to a VM: go to the VM > Edit > Network interfaces > set External IP to None > Save\n4. Return to External IP addresses and click Release to delete the public IP",
"Terraform": "```hcl\n# Reserve an internal address instead of a public one\nresource \"google_compute_address\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n region = \"<REGION>\"\n subnetwork = \"<example_subnetwork_name>\"\n address_type = \"INTERNAL\" # FIX: use INTERNAL to avoid a public (EXTERNAL) IP listed by Shodan\n}\n```"
},
"Recommendation": {
"Text": "Check Identified IPs, consider changing them to private ones and delete them from Shodan.",
"Url": "https://www.shodan.io/"
"Text": "Minimize Internet exposure:\n- Remove unused public IPs; prefer private addressing with controlled egress\n- Avoid `0.0.0.0/0`; restrict by allowlists and firewall policies\n- Place services behind proxies/VPN/bastions; close unused ports\n\nApply **least privilege** and **defense in depth**; continuously monitor external footprint.",
"Url": "https://hub.prowler.com/check/compute_public_address_shodan"
}
},
"Categories": [

1
prowler/providers/gcp/services/compute/compute_snapshot_not_outdated/compute_snapshot_not_outdated.metadata.json
View File

@@ -13,7 +13,6 @@
"Risk": "Outdated snapshots containing **sensitive data** expand the **attack surface** and risk data exposure if compromised.\n\nStale snapshots may violate compliance requirements, complicate disaster recovery efforts, and introduce configuration drift that affects system **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/remove-old-disk-snapshots.html",
"https://cloud.google.com/compute/docs/disks/create-snapshots",
"https://cloud.google.com/compute/docs/disks/snapshot-best-practices"
],

33
prowler/providers/gcp/services/compute/compute_subnet_flow_logs_enabled/compute_subnet_flow_logs_enabled.metadata.json
View File

@@ -1,30 +1,41 @@
{
"Provider": "gcp",
"CheckID": "compute_subnet_flow_logs_enabled",
"CheckTitle": "Enable VPC Flow Logs for VPC Subnets",
"CheckTitle": "Subnet has VPC Flow Logs enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Subnet",
"ResourceGroup": "network",
"Description": "Ensure that VPC Flow Logs is enabled for every subnet created within your production Virtual Private Cloud (VPC) network. Flow Logs is a logging feature that enables users to capture information about the IP traffic (accepted, rejected, or all traffic) going to and from the network interfaces (ENIs) available within your VPC subnets.",
"Risk": "By default, the VPC Flow Logs feature is disabled when a new VPC network subnet is created. Once enabled, VPC Flow Logs will start collecting network traffic data to and from your Virtual Private Cloud (VPC) subnets, logging data that can be useful for understanding network usage, network traffic expense optimization, network forensics, and real-time security analysis. To enhance Google Cloud VPC network visibility and security it is strongly recommended to enable Flow Logs for every business-critical or production VPC subnet.",
"ResourceType": "compute.googleapis.com/Subnetwork",
"Description": "**GCP VPC subnets** have **VPC Flow Logs** enabled at the subnet scope to capture connection metadata for traffic to and from VM interfaces.",
"Risk": "Without **VPC Flow Logs**, network activity lacks visibility, weakening **detection and response**. Blind spots enable covert **data exfiltration** (C), undetected **lateral movement** and policy bypass (I), and hinder containment and recovery (A). Forensics and cost insights are degraded.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging",
"https://docs.cloud.google.com/vpc/docs/flow-logs",
"https://docs.cloud.google.com/vpc/docs/org-policy-flow-logs",
"https://docs.cloud.google.com/vpc/docs/access-flow-logs",
"https://cloud.google.com/blog/products/networking/how-to-use-vpc-flow-logs-in-gcp-for-network-traffic-analysis",
"https://docs.cloud.google.com/vpc/docs/using-flow-logs",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/enable-vpc-flow-logs.html"
],
"Remediation": {
"Code": {
"CLI": "gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs",
"CLI": "gcloud compute networks subnets update <SUBNET_NAME> --region <REGION> --enable-flow-logs",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/enable-vpc-flow-logs.html",
"Terraform": "https://docs.prowler.com/checks/gcp/logging-policies-1/bc_gcp_logging_1#terraform"
"Other": "1. In the Google Cloud console, go to Networking > VPC networks\n2. Open the Subnets tab and click the target subnet\n3. Click Edit\n4. Set Flow logs to On\n5. Click Save",
"Terraform": "```hcl\nresource \"google_compute_subnetwork\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n ip_cidr_range = \"10.0.0.0/24\"\n region = \"<REGION>\"\n network = \"<VPC_NETWORK_SELF_LINK>\"\n\n enable_flow_logs = true # Critical: enables VPC Flow Logs so the subnet passes the check\n}\n```"
},
"Recommendation": {
"Text": "Ensure that VPC Flow Logs is enabled for every subnet created within your production Virtual Private Cloud (VPC) network. Flow Logs is a logging feature that enables users to capture information about the IP traffic (accepted, rejected, or all traffic) going to and from the network interfaces (ENIs) available within your VPC subnets.",
"Url": "https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging"
"Text": "Enable **VPC Flow Logs** on all production subnets. Tune aggregation, sampling, and metadata to balance visibility and cost.\n\nExport to centralized logging for analytics and alerting, apply **least privilege** to log access, and use organization guardrails to enforce consistent coverage as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/compute_subnet_flow_logs_enabled"
}
},
"Categories": [],
"Categories": [
"logging",
"forensics-ready"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""