feat(gcp): add Google Cloud provider with 43 checks (#2125)

2026-02-10 06:45:08 +00:00 · 2023-03-24 13:38:41 +01:00
parent fe57811bc5
commit c14e7fb17a
179 changed files with 3941 additions and 111 deletions
--- a/docs/getting-started/requirements.md
+++ b/docs/getting-started/requirements.md
@@ -30,6 +30,24 @@ Those credentials must be associated to a user or role with proper permissions t

  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).

+## Google Cloud
+
+### GCP Authentication
+
+Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order):
+
+1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC)
+2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
+3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
+
+Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials:
+
+  - Viewer
+  - Security Reviewer
+  - Stackdriver Account Viewer
+
+> `prowler` will scan the project associated with the credentials.
+
 ## Azure

 Prowler for azure supports the following authentication types:
--- a/docs/index.md
+++ b/docs/index.md
@@ -16,7 +16,7 @@ For **Prowler v2 Documentation**, please go [here](https://github.com/prowler-cl

 ## About Prowler

-**Prowler** is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
+**Prowler** is an Open Source security tool to perform AWS, Azure and Google Cloud security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

 It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

@@ -40,7 +40,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo

    * `Python >= 3.9`
    * `Python pip >= 3.9`
-    * AWS and/or Azure credentials
+    * AWS, GCP and/or Azure credentials

    _Commands_:

@@ -54,7 +54,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo
    _Requirements_:

    * Have `docker` installed: https://docs.docker.com/get-docker/.
-    * AWS and/or Azure credentials
+    * AWS, GCP and/or Azure credentials
    * In the command below, change `-v` to your local directory path in order to access the reports.

    _Commands_:
@@ -71,7 +71,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo

    _Requirements for Ubuntu 20.04.3 LTS_:

-    * AWS and/or Azure credentials
+    * AWS, GCP and/or Azure credentials
    * Install python 3.9 with: `sudo apt-get install python3.9`
    * Remove python 3.8 to avoid conflicts if you can: `sudo apt-get remove python3.8`
    * Make sure you have the python3 distutils package installed: `sudo apt-get install python3-distutils`
@@ -91,7 +91,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo

    _Requirements for Developers_:

-    * AWS and/or Azure credentials
+    * AWS, GCP and/or Azure credentials
    * `git`, `Python >= 3.9`, `pip` and `poetry` installed (`pip install poetry`)

    _Commands_:
@@ -108,7 +108,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo

    _Requirements_:

-    * AWS and/or Azure credentials
+    * AWS, GCP and/or Azure credentials
    * Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: `sudo dnf install -y python3-pip`.
    * Make sure setuptools for python is already installed with: `pip3 install setuptools`

@@ -125,7 +125,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo
    _Requirements_:

    * `Brew` installed in your Mac or Linux
-    * AWS and/or Azure credentials
+    * AWS, GCP and/or Azure credentials

    _Commands_:

@@ -194,7 +194,7 @@ You can run Prowler from your workstation, an EC2 instance, Fargate or any other
 ![Architecture](img/architecture.png)
 ## Basic Usage

-To run Prowler, you will need to specify the provider (e.g aws or azure):
+To run Prowler, you will need to specify the provider (e.g aws, gcp or azure):
 > If no provider specified, AWS will be used for backward compatibility with most of v2 options.

 ```console
@@ -226,6 +226,7 @@ For executing specific checks or services you can use options `-c`/`checks` or `
 ```console
 prowler azure --checks storage_blob_public_access_level_is_disabled
 prowler aws --services s3 ec2
+prowler gcp --services iam compute
 ```

 Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
@@ -233,6 +234,7 @@ Also, checks and services can be excluded with options `-e`/`--excluded-checks`
 ```console
 prowler aws --excluded-checks s3_bucket_public_access
 prowler azure --excluded-services defender iam
+prowler gcp --excluded-services kms
 ```

 More options and executions methods that will save your time in [Miscelaneous](tutorials/misc.md).
@@ -252,6 +254,14 @@ prowler aws --profile custom-profile -f us-east-1 eu-south-2
 ```
 > By default, `prowler` will scan all AWS regions.

+### Google Cloud
+
+Optionally, you can provide the location of an application credential JSON file with the following argument:
+
+```console
+prowler gcp --credentials-file path
+```
+
 ### Azure

 With Azure you need to specify which auth method is going to be used:
--- a/docs/tutorials/aws/securityhub.md
+++ b/docs/tutorials/aws/securityhub.md
@@ -13,7 +13,7 @@ Before sending findings to Prowler, you will need to perform next steps:
    - Using the AWS Management Console:
     ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
 3. Allow Prowler to import its findings to AWS Security Hub by adding the policy below to the role or user running Prowler:
-    - [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-security-hub.json)
+    - [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)

 Once it is enabled, it is as simple as running the command below (for all regions):