prowler-cloud
diff --git a/‎prowler/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎prowler/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎prowler/providers/gcp/services/iam/iam_account_access_approval_enabled/iam_account_access_approval_enabled.metadata.json‎
Lines changed: 16 additions & 11 deletions b/‎prowler/providers/gcp/services/iam/iam_account_access_approval_enabled/iam_account_access_approval_enabled.metadata.json‎
Lines changed: 16 additions & 11 deletions
diff --git a/‎prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.metadata.json‎
Lines changed: 18 additions & 11 deletions b/‎prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.metadata.json‎
Lines changed: 18 additions & 11 deletions
diff --git a/‎prowler/providers/gcp/services/iam/iam_cloud_asset_inventory_enabled/iam_cloud_asset_inventory_enabled.metadata.json‎
Lines changed: 17 additions & 12 deletions b/‎prowler/providers/gcp/services/iam/iam_cloud_asset_inventory_enabled/iam_cloud_asset_inventory_enabled.metadata.json‎
Lines changed: 17 additions & 12 deletions
diff --git a/‎prowler/providers/gcp/services/iam/iam_no_service_roles_at_project_level/iam_no_service_roles_at_project_level.metadata.json‎
Lines changed: 17 additions & 11 deletions b/‎prowler/providers/gcp/services/iam/iam_no_service_roles_at_project_level/iam_no_service_roles_at_project_level.metadata.json‎
Lines changed: 17 additions & 11 deletions
@@ -33,6 +33,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update GCP DNS service metadata to new format [(#9643)](https://github.com/prowler-cloud/prowler/pull/9643)
 - Update GCP GCR service metadata to new format [(#9644)](https://github.com/prowler-cloud/prowler/pull/9644)
 - Update GCP GKE service metadata to new format [(#9645)](https://github.com/prowler-cloud/prowler/pull/9645)
+- Update GCP IAM service metadata to new format [(#9646)](https://github.com/prowler-cloud/prowler/pull/9646)
 
 ### 🔐 Security
 
 
@@ -1,30 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "iam_account_access_approval_enabled",
-  "CheckTitle": "Ensure Access Approval is Enabled in your account",
+  "CheckTitle": "Project has Access Approval enabled",
   "CheckType": [],
   "ServiceName": "iam",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Account",
-  "ResourceGroup": "governance",
-  "Description": "Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account in order to allow you to require your explicit approval whenever Google personnel need to access your GCP projects. Once the Access Approval feature is enabled, you can delegate users within your organization who can approve the access requests by giving them a security role in Identity and Access Management (IAM). These requests show the requester name/ID in an email or Pub/Sub message that you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved/denied access requests to your projects.",
-  "Risk": "Controlling access to your Google Cloud data is crucial when working with business-critical and sensitive data. With Access Approval, you can be certain that your cloud information is accessed by approved Google personnel only. The Access Approval feature ensures that a cryptographically-signed approval is available for Google Cloud support and engineering teams when they need to access your cloud data (certain exceptions apply). By default, Access Approval and its dependency of Access Transparency are not enabled.",
+  "ResourceType": "accessapproval.googleapis.com/AccessApprovalSettings",
+  "Description": "**GCP project** has **Access Approval** configured at the project level, requiring explicit customer authorization before Google personnel can access project data. The evaluation looks for Access Approval settings associated with the project.",
+  "Risk": "Without Access Approval, Google support or engineering may access Customer Data without prior consent, weakening **confidentiality** and **accountability**. Reduced visibility hinders incident response and raises exposure for sensitive or regulated workloads.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudIAM/enable-access-approval.html",
+    "https://cloud.google.com/cloud-provider-access-management/access-approval/docs"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud access-approval settings update --project=<PROJECT_ID> --enrolled-services=all",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enable-access-approval.html",
-      "Terraform": ""
+      "Other": "1. In the Google Cloud Console, go to Security > Access Approval (or search \"Access Approval\")\n2. Select the project <example_resource_id>\n3. Click Enable (or Edit settings if already open)\n4. Set Enrolled services to All Google Cloud services\n5. Click Save (enable the API if prompted)",
+      "Terraform": "```hcl\nresource \"google_access_approval_settings\" \"<example_resource_name>\" {\n  project = \"<example_resource_id>\"\n\n  enrolled_services {\n    cloud_product    = \"all\"       # Critical: enroll all services to enable Access Approval for the project\n    enrollment_level = \"BLOCK_ALL\" # Critical: require approval for all applicable access requests\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account in order to allow you to require your explicit approval whenever Google personnel need to access your GCP projects. Once the Access Approval feature is enabled, you can delegate users within your organization who can approve the access requests by giving them a security role in Identity and Access Management (IAM). These requests show the requester name/ID in an email or Pub/Sub message that you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved/denied access requests to your projects.",
-      "Url": "https://cloud.google.com/cloud-provider-access-management/access-approval/docs"
+      "Text": "Enable **Access Approval** for projects and *where feasible* at higher hierarchy for consistency. Assign **least-privilege approvers** with **separation of duties**, integrate timely notifications, and monitor **Access Transparency** records to maintain **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/iam_account_access_approval_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,37 @@
 {
   "Provider": "gcp",
   "CheckID": "iam_audit_logs_enabled",
-  "CheckTitle": "Configure Google Cloud Audit Logs to Track All Activities",
+  "CheckTitle": "GCP project has Cloud Audit Logs enabled",
   "CheckType": [],
   "ServiceName": "iam",
-  "SubServiceName": "Audit Logs",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "GCPProject",
-  "ResourceGroup": "governance",
-  "Description": "Ensure that Google Cloud Audit Logs feature is configured to track Data Access logs for all Google Cloud Platform (GCP) services and users, in order to enhance overall access security and meet compliance requirements. Once configured, the feature can record all admin related activities, as well as all the read and write access requests to user data.",
-  "Risk": "In order to maintain an effective Google Cloud audit configuration for your project, folder, and organization, all 3 types of Data Access logs (ADMIN_READ, DATA_READ and DATA_WRITE) must be enabled for all supported GCP services. Also, Data Access logs should be captured for all IAM users, without exempting any of them. Exemptions let you control which users generate audit logs. When you add an exempted user to your log configuration, audit logs are not created for that user, for the selected log type(s). Data Access audit logs are disabled by default and must be explicitly enabled based on your business requirements.",
+  "ResourceType": "cloudresourcemanager.googleapis.com/Project",
+  "Description": "**GCP project** has **Cloud Audit Logs** configured to capture administrative operations and data access events for services and principals (*per IAM Audit Logs*, including `ADMIN_READ`, `DATA_READ`, `DATA_WRITE`).",
+  "Risk": "Absent or partial audit logging reduces visibility into who accessed data or changed configurations, hindering detection and forensics.\n\nMisused identities can alter IAM to persist access, exfiltrate data, or delete resources, impacting **confidentiality**, **integrity**, and **availability**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudIAM/record-all-activities.html",
+    "https://cloud.google.com/logging/docs/audit/",
+    "https://docs.cloud.google.com/logging/docs/audit/configure-data-access"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/record-all-activities.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project#terraform"
+      "Other": "1. In the Google Cloud console, go to IAM & Admin > Audit Logs\n2. Click Set default configuration\n3. Under Permission types, check Admin Read, Data Read, and Data Write\n4. Click Save",
+      "Terraform": "```hcl\n# Enable Cloud Audit Logs (Data Access) for all services\nresource \"google_project_iam_audit_config\" \"all\" {\n  project = \"<example_resource_id>\"\n  service = \"allServices\" # Critical: apply to all services\n\n  # Critical: enable Data Access audit log types to pass the check\n  audit_log_config { log_type = \"ADMIN_READ\" }  # metadata/config reads\n  audit_log_config { log_type = \"DATA_READ\" }   # data reads\n  audit_log_config { log_type = \"DATA_WRITE\" }  # data writes\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.",
-      "Url": "https://cloud.google.com/logging/docs/audit/"
+      "Text": "Enable comprehensive **Cloud Audit Logs** for all services and principals, including `ADMIN_READ`, `DATA_READ`, `DATA_WRITE`. *Avoid exemptions.* Set org/folder defaults, centralize and retain logs, enforce least privilege on log access, protect logs from alteration, and alert on anomalous access.",
+      "Url": "https://hub.prowler.com/check/iam_audit_logs_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "iam_cloud_asset_inventory_enabled",
-  "CheckTitle": "Ensure Cloud Asset Inventory Is Enabled",
+  "CheckTitle": "Project has Cloud Asset Inventory API enabled",
   "CheckType": [],
   "ServiceName": "iam",
-  "SubServiceName": "Asset Inventory",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Service",
-  "ResourceGroup": "governance",
-  "Description": "GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.",
-  "Risk": "Gaining insight into Google Cloud resources and policies is vital for tasks such as DevOps, security analytics, multi-cluster and fleet management, auditing, and governance. With Cloud Asset Inventory you can discover, monitor, and analyze all GCP assets in one place, achieving a better understanding of all your cloud assets across projects and services.",
+  "ResourceType": "serviceusage.googleapis.com/Service",
+  "Description": "**Project service usage** includes the **Cloud Asset Inventory** API (`cloudasset.googleapis.com`), enabling resource and IAM policy inventory with time-series metadata and change history.",
+  "Risk": "Without **Cloud Asset Inventory**, gaps in asset and IAM visibility hinder detection of drift and unauthorized changes, weakening access control integrity and risking data confidentiality. Shadow assets and silent privilege escalation can persist, delaying incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudAPI/enabled-cloud-asset-inventory.html",
+    "https://cloud.google.com/asset-inventory/docs"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud services enable cloudasset.googleapis.com",
+      "CLI": "gcloud services enable cloudasset.googleapis.com --project <PROJECT_ID>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudAPI/enabled-cloud-asset-inventory.html",
-      "Terraform": ""
+      "Other": "1. In the Google Cloud Console, select the project <PROJECT_ID> from the project picker.\n2. Go to APIs & Services > Library.\n3. Search for \"Cloud Asset Inventory API\" and select it.\n4. Click Enable.\n5. Verify it appears under APIs & Services > Enabled APIs & services.",
+      "Terraform": "```hcl\nresource \"google_project_service\" \"<example_resource_name>\" {\n  project = \"<example_project_id>\"\n  service = \"cloudasset.googleapis.com\" # Enables Cloud Asset Inventory API to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that Cloud Asset Inventory is enabled for all your GCP projects in order to efficiently manage the history and the inventory of your cloud resources. Google Cloud Asset Inventory is a fully managed metadata inventory service that allows you to view, monitor, analyze, and gain insights for your Google Cloud and Anthos assets. Cloud Asset Inventory is disabled by default in each GCP project.",
-      "Url": "https://cloud.google.com/asset-inventory/docs"
+      "Text": "Enable **Cloud Asset Inventory** across all projects *and, if applicable, at the organization level* to maintain authoritative asset and IAM histories. Centralize analysis, retain records per policy, and use the data to enforce **least privilege** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/iam_cloud_asset_inventory_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "iam_no_service_roles_at_project_level",
-  "CheckTitle": "Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level",
+  "CheckTitle": "Project has no IAM users assigned the Service Account User or Service Account Token Creator roles at project level",
   "CheckType": [],
   "ServiceName": "iam",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "IAM Policy",
-  "ResourceGroup": "IAM",
-  "Description": "It is recommended to assign the `Service Account User (iam.serviceAccountUser)` and `Service Account Token Creator (iam.serviceAccountTokenCreator)` roles to a user for a specific service account rather than assigning the role to a user at project level.",
-  "Risk": "The Service Account User (iam.serviceAccountUser) role allows an IAM user to attach a service account to a long-running job service such as an App Engine App or Dataflow Job, whereas the Service Account Token Creator (iam.serviceAccountTokenCreator) role allows a user to directly impersonate the identity of a service account.",
-  "RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/check-for-iam-users-with-service-roles.html",
+  "ResourceType": "cloudresourcemanager.googleapis.com/Project",
+  "Description": "**Google Cloud IAM policies** are inspected for **project-level grants** of `roles/iam.serviceAccountUser` and `roles/iam.serviceAccountTokenCreator` to principals. The focus is on bindings that enable attaching or impersonating service accounts at the project scope rather than on individual service accounts.",
+  "Risk": "**Project-wide impersonation rights** enable **privilege escalation** and **lateral movement**. Holders can act as any service account, access data across services, modify resources, and persist access. New service accounts inherit exposure, undermining confidentiality and integrity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudIAM/check-for-iam-users-with-service-roles.html",
+    "https://cloud.google.com/iam/docs/granting-changing-revoking-access",
+    "https://cloud.google.com/iam/docs/best-practices-service-accounts?ref=alphasec.io"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3#terraform"
+      "Other": "1. In Google Cloud Console, go to IAM & Admin > IAM\n2. Use the filter to find Role: Service Account User\n3. Remove all project-level bindings for this role and click Save\n4. Repeat steps 2-3 for Role: Service Account Token Creator\n5. Do not add these roles at the project level; if needed, grant them on specific service accounts only (IAM & Admin > Service Accounts > select account > Permissions > Grant access)",
+      "Terraform": "```hcl\n# Grant required access at the service account level instead of the project level\nresource \"google_service_account_iam_member\" \"<example_resource_name>\" {\n  service_account_id = \"projects/<example_resource_id>/serviceAccounts/<example_resource_name>@<example_resource_id>.iam.gserviceaccount.com\"  # CRITICAL: scope grant to a specific service account, not the project\n  role               = \"roles/iam.serviceAccountUser\"  # CRITICAL: this role is granted only at the service account level\n  member             = \"user:<example_resource_name>@example.com\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that the Service Account User and Service Account Token Creator roles are assigned to a user for a specific GCP service account rather than to a user at the GCP project level, in order to implement the principle of least privilege (POLP). The principle of least privilege (also known as the principle of minimal privilege) is the practice of providing every user the minimal amount of access required to perform its tasks. Google Cloud Platform (GCP) IAM users should not have assigned the Service Account User or Service Account Token Creator roles at the GCP project level. Instead, these roles should be allocated to a user associated with a specific service account, providing that user access to the service account only.",
-      "Url": "https://cloud.google.com/iam/docs/granting-changing-revoking-access"
+      "Text": "Assign `roles/iam.serviceAccountUser` and `roles/iam.serviceAccountTokenCreator` only on the specific service account, not at project scope. Enforce **least privilege** and **separation of duties** with per-SA grants, conditional bindings, and time-bound access. Prefer **short-lived impersonation**; review grants regularly.",
+      "Url": "https://hub.prowler.com/check/iam_no_service_roles_at_project_level"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""