PyPI - prowler-cloud - Versions diffs - 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl - Mend

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (298) hide show

prowler/providers/azure/services/postgresql/postgresql_service.py CHANGED Viewed

@@ -1,6 +1,6 @@
 from dataclasses import dataclass
-from azure.mgmt.rdbms.postgresql_flexibleservers import PostgreSQLManagementClient
+from azure.mgmt.postgresqlflexibleservers import PostgreSQLManagementClient
 from prowler.lib.logger import logger
 from prowler.providers.azure.azure_provider import AzureProvider
@@ -21,9 +21,19 @@ class PostgreSQL(AzureService):
                 flexible_servers_list = client.servers.list()
                 for postgresql_server in flexible_servers_list:
                     resource_group = self._get_resource_group(postgresql_server.id)
+                    # Fetch full server object once to extract multiple properties
+                    server_details = client.servers.get(
+                        resource_group, postgresql_server.name
+                    )
                     require_secure_transport = self._get_require_secure_transport(
                         subscription, resource_group, postgresql_server.name
                     )
+                    active_directory_auth = self._extract_active_directory_auth(
+                        server_details
+                    )
+                    entra_id_admins = self._get_entra_id_admins(
+                        subscription, resource_group, postgresql_server.name
+                    )
                     log_checkpoints = self._get_log_checkpoints(
                         subscription, resource_group, postgresql_server.name
                     )
@@ -42,22 +52,22 @@ class PostgreSQL(AzureService):
                     firewall = self._get_firewall(
                         subscription, resource_group, postgresql_server.name
                     )
-                    location = self._get_location(
-                        subscription, resource_group, postgresql_server.name
-                    )
+                    location = server_details.location
                     flexible_servers[subscription].append(
                         Server(
                             id=postgresql_server.id,
                             name=postgresql_server.name,
                             resource_group=resource_group,
+                            location=location,
                             require_secure_transport=require_secure_transport,
+                            active_directory_auth=active_directory_auth,
+                            entra_id_admins=entra_id_admins,
                             log_checkpoints=log_checkpoints,
                             log_connections=log_connections,
                             log_disconnections=log_disconnections,
                             connection_throttling=connection_throttling,
                             log_retention_days=log_retention_days,
                             firewall=firewall,
-                            location=location,
                         )
                     )
             except Exception as error:
@@ -100,10 +110,47 @@ class PostgreSQL(AzureService):
         )
         return log_disconnections.value.upper()
-    def _get_location(self, subscription, resouce_group_name, server_name):
+    def _extract_active_directory_auth(self, server):
+        """Extract active directory auth from a server object (no API call)."""
+        try:
+            auth_config = getattr(server, "auth_config", None)
+            active_directory_auth = (
+                getattr(auth_config, "active_directory_auth", None)
+                if auth_config is not None
+                else None
+            )
+            # Normalize enum/string to upper string
+            if hasattr(active_directory_auth, "value"):
+                return str(active_directory_auth.value).upper()
+            return (
+                str(active_directory_auth).upper()
+                if active_directory_auth is not None
+                else None
+            )
+        except Exception as e:
+            logger.error(f"Error extracting active directory auth: {e}")
+            return None
+    def _get_entra_id_admins(self, subscription, resource_group_name, server_name):
         client = self.clients[subscription]
-        location = client.servers.get(resouce_group_name, server_name).location
-        return location
+        try:
+            admins = client.administrators.list_by_server(
+                resource_group_name, server_name
+            )
+            admin_list = []
+            for admin in admins:
+                admin_list.append(
+                    EntraIdAdmin(
+                        object_id=admin.object_id,
+                        principal_name=admin.principal_name,
+                        principal_type=admin.principal_type,
+                        tenant_id=admin.tenant_id,
+                    )
+                )
+            return admin_list
+        except Exception as e:
+            logger.error(f"Error getting Entra ID admins for {server_name}: {e}")
+            return []
     def _get_connection_throttling(self, subscription, resouce_group_name, server_name):
         client = self.clients[subscription]
@@ -147,16 +194,26 @@ class Firewall:
     end_ip: str
+@dataclass
+class EntraIdAdmin:
+    object_id: str
+    principal_name: str
+    principal_type: str
+    tenant_id: str
 @dataclass
 class Server:
     id: str
     name: str
     resource_group: str
+    location: str
     require_secure_transport: str
+    active_directory_auth: str
+    entra_id_admins: list[EntraIdAdmin]
     log_checkpoints: str
     log_connections: str
     log_disconnections: str
     connection_throttling: str
     log_retention_days: str
     firewall: list[Firewall]
-    location: str

prowler/providers/azure/services/storage/storage_service.py CHANGED Viewed

@@ -141,10 +141,12 @@ class Storage(AzureService):
                                     container_delete_retention_policy,
                                     "enabled",
                                     False,
-                                ),
+                                )
+                                or False,
                                 days=getattr(
                                     container_delete_retention_policy, "days", 0
-                                ),
+                                )
+                                or 0,
                             ),
                             versioning_enabled=versioning_enabled,
                         )
@@ -220,12 +222,14 @@ class Storage(AzureService):
                                 share_delete_retention_policy,
                                 "enabled",
                                 False,
-                            ),
+                            )
+                            or False,
                             days=getattr(
                                 share_delete_retention_policy,
                                 "days",
                                 0,
-                            ),
+                            )
+                            or 0,
                         ),
                         smb_protocol_settings=SMBProtocolSettings(
                             channel_encryption=(
@@ -241,6 +245,11 @@ class Storage(AzureService):
                         ),
                     )
                 except Exception as error:
+                    if "File is not supported for the account." in str(error).strip():
+                        logger.warning(
+                            f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                        continue
                     logger.error(
                         f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                     )

prowler/providers/azure/services/vm/vm_service.py CHANGED Viewed

@@ -1,4 +1,3 @@
-from dataclasses import dataclass
 from enum import Enum
 from typing import List, Optional
@@ -294,16 +293,14 @@ class VirtualMachines(AzureService):
         return vm_instance_ids
-@dataclass
-class UefiSettings:
+class UefiSettings(BaseModel):
     secure_boot_enabled: bool
     v_tpm_enabled: bool
-@dataclass
-class SecurityProfile:
-    security_type: str
-    uefi_settings: Optional[UefiSettings]
+class SecurityProfile(BaseModel):
+    security_type: Optional[str] = None
+    uefi_settings: Optional[UefiSettings] = None
 class OperatingSystemType(Enum):

prowler/providers/common/arguments.py CHANGED Viewed

@@ -1,6 +1,7 @@
 import sys
 from argparse import Namespace
 from importlib import import_module
+from typing import Optional, Sequence
 from prowler.lib.logger import logger
 from prowler.providers.common.provider import Provider, providers_path
@@ -16,15 +17,9 @@ def init_providers_parser(self):
     providers = Provider.get_available_providers()
     for provider in providers:
         try:
-            # Map CLI provider names to directory names (for cases where they differ)
-            provider_directory_map = {
-                "oci": "oraclecloud",  # OCI SDK conflict avoidance
-            }
-            provider_directory = provider_directory_map.get(provider, provider)
             getattr(
                 import_module(
-                    f"{providers_path}.{provider_directory}.{provider_arguments_lib_path}"
+                    f"{providers_path}.{provider}.{provider_arguments_lib_path}"
                 ),
                 init_provider_arguments_function,
             )(self)
@@ -38,18 +33,10 @@ def init_providers_parser(self):
 def validate_provider_arguments(arguments: Namespace) -> tuple[bool, str]:
     """validate_provider_arguments returns {True, "} if the provider arguments passed are valid and can be used together"""
     try:
-        # Map CLI provider names to directory names (for cases where they differ)
-        provider_directory_map = {
-            "oci": "oraclecloud",  # OCI SDK conflict avoidance
-        }
-        provider_directory = provider_directory_map.get(
-            arguments.provider, arguments.provider
-        )
         # Provider function must be located at prowler.providers.<provider>.lib.arguments.arguments.validate_arguments
         return getattr(
             import_module(
-                f"{providers_path}.{provider_directory}.{provider_arguments_lib_path}"
+                f"{providers_path}.{arguments.provider}.{provider_arguments_lib_path}"
             ),
             validate_provider_arguments_function,
         )(arguments)
@@ -67,3 +54,19 @@ def validate_provider_arguments(arguments: Namespace) -> tuple[bool, str]:
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
         )
         sys.exit(1)
+def validate_asff_usage(
+    provider: Optional[str], output_formats: Optional[Sequence[str]]
+) -> tuple[bool, str]:
+    """Ensure json-asff output is only requested for the AWS provider."""
+    if not output_formats or "json-asff" not in output_formats:
+        return (True, "")
+    if provider == "aws":
+        return (True, "")
+    return (
+        False,
+        f"json-asff output format is only available for the aws provider, but {provider} was selected",
+    )

prowler/providers/common/provider.py CHANGED Viewed

@@ -146,24 +146,8 @@ class Provider(ABC):
     @staticmethod
     def init_global_provider(arguments: Namespace) -> None:
         try:
-            # Map CLI provider names to directory names (for cases where they differ)
-            provider_directory_map = {
-                "oci": "oraclecloud",  # oci SDK conflict avoidance
-            }
-            # Map CLI provider names to provider file names (for cases where they differ)
-            provider_file_map = {
-                "oci": "oci",  # oraclecloud directory but oci_provider.py file
-            }
-            provider_directory = provider_directory_map.get(
-                arguments.provider, arguments.provider
-            )
-            provider_file = provider_file_map.get(
-                arguments.provider, arguments.provider
-            )
             provider_class_path = (
-                f"{providers_path}.{provider_directory}.{provider_file}_provider"
+                f"{providers_path}.{arguments.provider}.{arguments.provider}_provider"
             )
             provider_class_name = f"{arguments.provider.capitalize()}Provider"
             provider_class = getattr(
@@ -291,7 +275,7 @@ class Provider(ABC):
                         mutelist_path=arguments.mutelist_file,
                         fixer_config=fixer_config,
                     )
-                elif "oci" in provider_class_name.lower():
+                elif "oraclecloud" in provider_class_name.lower():
                     provider_class(
                         oci_config_file=arguments.oci_config_file,
                         profile=arguments.profile,

prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json CHANGED Viewed

@@ -1,29 +1,30 @@
 {
   "Provider": "gcp",
   "CheckID": "artifacts_container_analysis_enabled",
-  "CheckTitle": "Ensure Image Vulnerability Analysis using AR Container Analysis or a third-party provider",
-  "CheckType": [
-    "Security",
-    "Configuration"
-  ],
+  "CheckTitle": "GCP project has Artifact Registry Container Analysis API enabled",
+  "CheckType": [],
   "ServiceName": "artifacts",
-  "SubServiceName": "Container Analysis",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Service",
-  "Description": "Scan images stored in Google Container Registry (GCR) for vulnerabilities using AR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.",
-  "Risk": "Without image vulnerability scanning, container images stored in Artifact Registry may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.",
-  "RelatedUrl": "https://cloud.google.com/artifact-analysis/docs",
+  "ResourceType": "serviceusage.googleapis.com/Service",
+  "Description": "Evaluates whether **Artifact Analysis** (`containeranalysis.googleapis.com`) is enabled at the project level to support **vulnerability scanning** and metadata for container images in Artifact Registry or Container Registry.",
+  "Risk": "Absent this service, images aren't continuously scanned, leaving known CVEs unnoticed. Attackers can run vulnerable containers, gain code execution, move laterally, and exfiltrate data, eroding the **integrity** and **confidentiality** of workloads and the software supply chain.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/artifact-analysis/docs",
+    "https://cloud.google.com/artifact-analysis/docs/container-scanning-overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud services enable containeranalysis.googleapis.com",
+      "CLI": "gcloud services enable containeranalysis.googleapis.com --project <PROJECT_ID>",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, ensure the correct project is selected\n2. Go to APIs & Services > Library\n3. Search for \"Container Analysis API\"\n4. Click the API, then click \"Enable\"",
+      "Terraform": "```hcl\nresource \"google_project_service\" \"<example_resource_name>\" {\n  project = \"<example_project_id>\"\n  service = \"containeranalysis.googleapis.com\" # Enables Artifact Analysis (Container Analysis) API to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable vulnerability scanning for images stored in Artifact Registry using AR Container Analysis or a third-party provider.",
-      "Url": "https://cloud.google.com/artifact-analysis/docs/container-scanning-overview"
+      "Text": "Enable **Artifact Analysis** (`containeranalysis.googleapis.com`) for projects hosting container images. Integrate scan results into CI/CD policy gates, apply **least privilege** to findings access, and rebuild images promptly to maintain **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/artifacts_container_analysis_enabled"
     }
   },
   "Categories": [],

prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py CHANGED Viewed

@@ -25,10 +25,25 @@ class CloudResourceManager(GCPService):
                     .execute(num_retries=DEFAULT_RETRY_ATTEMPTS)
                 )
                 audit_logging = False
+                audit_configs = []
                 if policy.get("auditConfigs"):
                     audit_logging = True
+                    for config in policy.get("auditConfigs", []):
+                        log_types = []
+                        for log_config in config.get("auditLogConfigs", []):
+                            log_types.append(log_config.get("logType", ""))
+                        audit_configs.append(
+                            AuditConfig(
+                                service=config.get("service", ""),
+                                log_types=log_types,
+                            )
+                        )
                 self.cloud_resource_manager_projects.append(
-                    Project(id=project_id, audit_logging=audit_logging)
+                    Project(
+                        id=project_id,
+                        audit_logging=audit_logging,
+                        audit_configs=audit_configs,
+                    )
                 )
                 for binding in policy["bindings"]:
                     self.bindings.append(
@@ -40,7 +55,9 @@ class CloudResourceManager(GCPService):
                     )
             except Exception as error:
                 logger.error(
-                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    f"{self.region} -- "
+                    f"{error.__class__.__name__}"
+                    f"[{error.__traceback__.tb_lineno}]: {error}"
                 )
     def _get_organizations(self):
@@ -54,15 +71,23 @@ class CloudResourceManager(GCPService):
                 for org in response.get("organizations", []):
                     self.organizations.append(
                         Organization(
-                            id=org["name"].split("/")[-1], name=org["displayName"]
+                            id=org["name"].split("/")[-1],
+                            name=org["displayName"],
                         )
                     )
         except Exception as error:
             logger.error(
-                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                f"{self.region} -- "
+                f"{error.__class__.__name__}"
+                f"[{error.__traceback__.tb_lineno}]: {error}"
             )
+class AuditConfig(BaseModel):
+    service: str
+    log_types: list[str]
 class Binding(BaseModel):
     role: str
     members: list
@@ -72,6 +97,7 @@ class Binding(BaseModel):
 class Project(BaseModel):
     id: str
     audit_logging: bool
+    audit_configs: list[AuditConfig] = []
 class Organization(BaseModel):

prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_audit_logs_enabled",
+  "CheckTitle": "Data Access audit logs are enabled for Cloud Storage",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "cloudresourcemanager.googleapis.com/Project",
+  "Description": "Data Access audit logs (DATA_READ and DATA_WRITE) are enabled for Cloud Storage at the project level. Unlike Admin Activity logs (enabled by default), Data Access logs must be explicitly configured to track read and write operations on Cloud Storage objects.",
+  "Risk": "Without Data Access audit logs, you cannot track who accessed or modified objects in your Cloud Storage buckets, making it difficult to detect unauthorized access, data exfiltration, or compliance violations.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-data-access-audit-logs.html",
+    "https://cloud.google.com/storage/docs/audit-logging"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1) Console → IAM & Admin → Audit Logs\n2) Find 'Google Cloud Storage' in the list of services\n3) Check the boxes for 'Data Read' and 'Data Write'\n4) Click 'Save' to apply the configuration\n\nNote: This is a project-level setting that applies to all Cloud Storage buckets in the project.",
+      "Terraform": "```hcl\nresource \"google_project_iam_audit_config\" \"storage_audit\" {\n  project = var.project_id\n  service = \"storage.googleapis.com\"\n\n  audit_log_config {\n    log_type = \"DATA_READ\"\n  }\n\n  audit_log_config {\n    log_type = \"DATA_WRITE\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable Data Access audit logs (DATA_READ and DATA_WRITE) for Cloud Storage at the project level to track all read and write operations on storage objects for security monitoring and compliance.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_audit_logs_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py ADDED Viewed

@@ -0,0 +1,61 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudresourcemanager.cloudresourcemanager_client import (
+    cloudresourcemanager_client,
+)
+class cloudstorage_audit_logs_enabled(Check):
+    """
+    Ensure GCP Cloud Storage data access audit logs are enabled.
+    - PASS: Project has audit config for storage.googleapis.com or allServices with
+      DATA_READ and DATA_WRITE log types enabled.
+    - FAIL: Project is missing audit config for Cloud Storage,
+      or missing DATA_READ or DATA_WRITE log types.
+    """
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for project in cloudresourcemanager_client.cloud_resource_manager_projects:
+            report = Check_Report_GCP(
+                metadata=self.metadata(),
+                resource=cloudresourcemanager_client.projects[project.id],
+                project_id=project.id,
+                location=cloudresourcemanager_client.region,
+                resource_name=(
+                    cloudresourcemanager_client.projects[project.id].name
+                    if cloudresourcemanager_client.projects[project.id].name
+                    else "GCP Project"
+                ),
+            )
+            log_types_set = set()
+            for config in project.audit_configs:
+                if config.service in ["storage.googleapis.com", "allServices"]:
+                    log_types_set.update(config.log_types)
+            required_logs = {"DATA_READ", "DATA_WRITE"}
+            if project.audit_logging:
+                if required_logs.issubset(log_types_set):
+                    report.status = "PASS"
+                    report.status_extended = f"Project {project.id} has Data Access audit logs (DATA_READ and DATA_WRITE) enabled for Cloud Storage."
+                else:
+                    report.status = "FAIL"
+                    if not log_types_set:
+                        report.status_extended = f"Project {project.id} has Audit Logs enabled for other services but not for Cloud Storage."
+                    else:
+                        report.status_extended = (
+                            f"Project {project.id} has Audit Logs enabled for Cloud Storage but is missing some required log types"
+                            f"(missing: {', '.join(sorted(required_logs - log_types_set))})."
+                        )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Project {project.id} does not have Audit Logs enabled."
+                )
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json CHANGED Viewed

@@ -1,26 +1,29 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudstorage_bucket_log_retention_policy_lock",
-  "CheckTitle": "Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock",
+  "CheckTitle": "Cloud Storage log bucket has a Retention Policy with Bucket Lock enabled",
   "CheckType": [],
   "ServiceName": "cloudstorage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Bucket",
-  "Description": "Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.",
-  "Risk": "Sinks can be configured to export logs in storage buckets. It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy, thus permanently preventing the policy from being reduced or removed. This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "**Google Cloud Storage buckets** used as **log sinks** are evaluated to ensure that a **Retention Policy** is configured and **Bucket Lock** is enabled. Enabling Bucket Lock permanently prevents the retention policy from being reduced or removed, protecting logs from modification or deletion.",
+  "Risk": "Log sink buckets without a locked retention policy are at risk of log tampering or accidental deletion. Without Bucket Lock, an attacker or user could remove or shorten the retention policy, compromising the integrity of audit logs required for forensics and compliance investigations.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/retention-policies-with-bucket-lock.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud storage buckets lock-retention-policy gs://<LOG_BUCKET_NAME>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/retention-policies-with-bucket-lock.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock#terraform"
+      "Other": "1) Open Google Cloud Console → Storage → Buckets → <LOG_BUCKET_NAME>\n2) Go to the **Configuration** tab\n3) Under **Retention policy**, ensure a retention duration is set\n4) Click **Lock** to enable Bucket Lock and confirm the operation",
+      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"log_bucket\" {\n  name     = var.log_bucket_name\n  location = var.location\n\n  retention_policy {\n    retention_period = 31536000 # 365 days in seconds\n    is_locked        = true\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.",
-      "Url": "https://cloud.google.com/storage/docs/using-uniform-bucket-level-access"
+      "Text": "Configure a retention policy and enable Bucket Lock on all Cloud Storage buckets used as log sinks to ensure log integrity and immutability.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_log_retention_policy_lock"
     }
   },
   "Categories": [],

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py CHANGED Viewed

@@ -6,7 +6,14 @@ from prowler.providers.gcp.services.logging.logging_client import logging_client
 class cloudstorage_bucket_log_retention_policy_lock(Check):
-    def execute(self) -> Check_Report_GCP:
+    """
+    Ensure Log Sink buckets have a Retention Policy with Bucket Lock enabled.
+    - PASS: Log sink bucket has a retention policy and is locked.
+    - FAIL: Log sink bucket has no retention policy, or it has one but is not locked.
+    """
+    def execute(self) -> list[Check_Report_GCP]:
         findings = []
         # Get Log Sink Buckets
         log_buckets = []
@@ -22,8 +29,8 @@ class cloudstorage_bucket_log_retention_policy_lock(Check):
                 )
                 if bucket.retention_policy:
                     report.status = "FAIL"
-                    report.status_extended = f"Log Sink Bucket {bucket.name} has no Retention Policy but without Bucket Lock."
-                    if bucket.retention_policy.get("isLocked", False):
+                    report.status_extended = f"Log Sink Bucket {bucket.name} has a Retention Policy but without Bucket Lock."
+                    if bucket.retention_policy.is_locked:
                         report.status = "PASS"
                         report.status_extended = f"Log Sink Bucket {bucket.name} has a Retention Policy with Bucket Lock."
                 findings.append(report)

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_bucket_logging_enabled",
+  "CheckTitle": "Cloud Storage buckets have Usage and Storage Logs enabled",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Usage and Storage Logs** are enabled. Enabling these logs provides detailed visibility into access requests, usage patterns, and storage activity within each bucket.",
+  "Risk": "Buckets without Usage and Storage Logs enabled lack visibility into access and storage activity, which increases the risk of undetected data exfiltration, misuse, or configuration errors.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-usage-and-storage-logs.html",
+    "https://cloud.google.com/storage/docs/access-logs"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gsutil logging set on -b gs://<LOGGING_BUCKET> -o <LOG_OBJECT_PREFIX> gs://<BUCKET_NAME>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "```hcl\n# Example: enable Usage and Storage Logs on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  logging {\n    log_bucket        = var.log_bucket_name\n    log_object_prefix = \"${var.bucket_name}/\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable Usage and Storage Logs for all Cloud Storage buckets to track access, detect anomalies, and maintain audit visibility of data operations.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_logging_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Buckets missing the 'logging.logBucket' configuration are treated as having Usage and Storage Logs disabled. The 'logObjectPrefix' field is optional and defaults to the bucket name."
+}

prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl