chore(gcp): enhance metadata for cloudstorage service (#9640)

Co-authored-by: HugoPBrito <hugopbrit@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -24,6 +24,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Parallelize Cloudflare zone API calls with threading to improve scan performance [(#9982)](https://github.com/prowler-cloud/prowler/pull/9982)
 - Update GCP API Keys service metadata to new format [(#9637)](https://github.com/prowler-cloud/prowler/pull/9637)
 - Update GCP BigQuery service metadata to new format [(#9638)](https://github.com/prowler-cloud/prowler/pull/9638)
+- Update GCP Cloud Storage service metadata to new format [(#9640)](https://github.com/prowler-cloud/prowler/pull/9640)
 
 ### 🔐 Security
 

prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json

@@ -13,7 +13,7 @@
   "Risk": "Without Data Access audit logs, you cannot track who accessed or modified objects in your Cloud Storage buckets, making it difficult to detect unauthorized access, data exfiltration, or compliance violations.",
   "RelatedUrl": "",
   "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-data-access-audit-logs.html",
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-data-access-audit-logs.html",
     "https://cloud.google.com/storage/docs/audit-logging"
   ],
   "Remediation": {

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/cloudstorage_bucket_lifecycle_management_enabled.metadata.json

@@ -1,30 +1,32 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudstorage_bucket_lifecycle_management_enabled",
-  "CheckTitle": "Cloud Storage buckets have lifecycle management enabled",
+  "CheckTitle": "Cloud Storage bucket has lifecycle management enabled with at least one valid rule",
   "CheckType": [],
   "ServiceName": "cloudstorage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "low",
   "ResourceType": "storage.googleapis.com/Bucket",
   "ResourceGroup": "storage",
-  "Description": "**Google Cloud Storage buckets** are evaluated for the presence of **lifecycle management** with at least one valid rule (supported action and non-empty condition) to automatically transition or delete objects and optimize storage costs.",
-  "Risk": "Buckets without lifecycle rules can accumulate stale data, increase storage costs, and fail to meet data retention and internal compliance requirements.",
+  "Description": "**Cloud Storage buckets** use **Object Lifecycle Management** with at least one valid rule (supported `action` and non-empty `condition`) to automatically transition storage class or delete objects.",
+  "Risk": "Without lifecycle rules, data and object versions persist indefinitely, expanding the attack surface and hindering mandated erasure. Stale data amplifies exfiltration impact (**confidentiality**) and complicates **integrity** controls, while also driving avoidable cost and retention noncompliance.",
   "RelatedUrl": "",
   "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-lifecycle-management.html",
-    "https://cloud.google.com/storage/docs/lifecycle"
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-lifecycle-management.html",
+    "https://docs.cloud.google.com/storage/docs/managing-lifecycles",
+    "https://docs.cloud.google.com/storage/docs/lifecycle",
+    "https://docs.cloud.google.com/storage/docs/samples/storage-enable-bucket-lifecycle-management"
   ],
   "Remediation": {
     "Code": {
       "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --lifecycle-file=<PATH_TO_JSON>",
       "NativeIaC": "",
-      "Other": "1) Open Google Cloud Console → Storage → Buckets → <BUCKET_NAME>\n2) Tab 'Lifecycle'\n3) Add rule(s) to delete or transition objects (e.g., delete after 365 days; transition STANDARD→NEARLINE after 90 days)\n4) Save",
-      "Terraform": "```hcl\n# Example: enable lifecycle to transition and delete objects\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  # Transition STANDARD → NEARLINE after 90 days\n  lifecycle_rule {\n    action {\n      type          = \"SetStorageClass\"\n      storage_class = \"NEARLINE\"\n    }\n    condition {\n      age                   = 90\n      matches_storage_class = [\"STANDARD\"]\n    }\n  }\n\n  # Delete objects after 365 days\n  lifecycle_rule {\n    action {\n      type = \"Delete\"\n    }\n    condition {\n      age = 365\n    }\n  }\n}\n```"
+      "Other": "1. In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>\n2. Click the Lifecycle tab\n3. Click Add a rule\n4. Action: Delete\n5. Condition: Age = 1 day\n6. Click Create/Save",
+      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  location = \"US\"\n\n  # Critical: add at least one lifecycle rule with a condition to pass the check\n  lifecycle_rule {\n    action { type = \"Delete\" }      # Critical: defines a supported action\n    condition { age = 1 }            # Critical: ensures the rule has a valid condition\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure lifecycle rules to automatically delete stale objects or transition them to colder storage classes according to your organization's retention and cost-optimization policy.",
+      "Text": "Define lifecycle policies by data classification to enforce **least data retention**. Use `Delete` for TTL/age and `SetStorageClass` for archival, with version-aware conditions like `isLive=false` or `numNewerVersions`. Test on a limited dataset, review regularly, and align with **defense in depth**.",
       "Url": "https://hub.prowler.com/check/cloudstorage_bucket_lifecycle_management_enabled"
     }
   },

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json

@@ -1,33 +1,40 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudstorage_bucket_log_retention_policy_lock",
-  "CheckTitle": "Cloud Storage log bucket has a Retention Policy with Bucket Lock enabled",
+  "CheckTitle": "Cloud Storage log sink bucket has a retention policy with Bucket Lock enabled",
   "CheckType": [],
   "ServiceName": "cloudstorage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "high",
   "ResourceType": "storage.googleapis.com/Bucket",
   "ResourceGroup": "storage",
-  "Description": "**Google Cloud Storage buckets** used as **log sinks** are evaluated to ensure that a **Retention Policy** is configured and **Bucket Lock** is enabled. Enabling Bucket Lock permanently prevents the retention policy from being reduced or removed, protecting logs from modification or deletion.",
-  "Risk": "Log sink buckets without a locked retention policy are at risk of log tampering or accidental deletion. Without Bucket Lock, an attacker or user could remove or shorten the retention policy, compromising the integrity of audit logs required for forensics and compliance investigations.",
+  "Description": "**Cloud Storage log sink buckets** have a configured **retention period** with **Bucket Lock** applied, ensuring the retention policy cannot be shortened or removed.",
+  "Risk": "Without a locked retention policy, exported logs can be deleted early or retention reduced, undermining log **integrity** and **availability**. An attacker or malicious insider could purge evidence to evade detection, hindering **forensics** and weakening **non-repudiation** across the environment.",
   "RelatedUrl": "",
   "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/retention-policies-with-bucket-lock.html"
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/retention-policies-with-bucket-lock.html",
+    "https://docs.cloud.google.com/storage/docs/bucket-lock",
+    "https://docs.cloud.google.com/storage/docs/using-bucket-lock",
+    "https://docs.cloud.google.com/storage/docs/samples/storage-lock-retention-policy",
+    "https://docs.cloud.google.com/logging/docs/export/configure_export_v2"
   ],
   "Remediation": {
     "Code": {
       "CLI": "gcloud storage buckets lock-retention-policy gs://<LOG_BUCKET_NAME>",
       "NativeIaC": "",
-      "Other": "1) Open Google Cloud Console → Storage → Buckets → <LOG_BUCKET_NAME>\n2) Go to the **Configuration** tab\n3) Under **Retention policy**, ensure a retention duration is set\n4) Click **Lock** to enable Bucket Lock and confirm the operation",
-      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"log_bucket\" {\n  name     = var.log_bucket_name\n  location = var.location\n\n  retention_policy {\n    retention_period = 31536000 # 365 days in seconds\n    is_locked        = true\n  }\n}\n```"
+      "Other": "1. In Google Cloud Console, go to Storage > Buckets and open the bucket used by your Logs Router sink\n2. Click the Configuration tab\n3. Under Retention policy, click Edit, set any required retention duration, and click Save\n4. Click Lock retention policy, type LOCK to confirm, and confirm to permanently lock it",
+      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  location = \"<LOCATION>\"\n\n  retention_policy {\n    retention_period = 86400         # Required: enable a retention policy (1 day)\n    is_locked        = true          # CRITICAL: locks the retention policy (Bucket Lock) to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure a retention policy and enable Bucket Lock on all Cloud Storage buckets used as log sinks to ensure log integrity and immutability.",
+      "Text": "Set a **retention policy** on every log sink bucket and enable **Bucket Lock**. Choose durations that meet investigative and regulatory needs. Enforce **least privilege** and **separation of duties** for bucket and logging administration, and apply **defense in depth** so no single actor can weaken log retention.",
       "Url": "https://hub.prowler.com/check/cloudstorage_bucket_log_retention_policy_lock"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json

@@ -13,7 +13,7 @@
   "Risk": "Buckets without Usage and Storage Logs enabled lack visibility into access and storage activity, which increases the risk of undetected data exfiltration, misuse, or configuration errors.",
   "RelatedUrl": "",
   "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-usage-and-storage-logs.html",
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-usage-and-storage-logs.html",
     "https://cloud.google.com/storage/docs/access-logs"
   ],
   "Remediation": {

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_public_access/cloudstorage_bucket_public_access.metadata.json

@@ -1,27 +1,34 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudstorage_bucket_public_access",
-  "CheckTitle": "Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible",
+  "CheckTitle": "Cloud Storage bucket is not publicly accessible",
   "CheckType": [],
   "ServiceName": "cloudstorage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Bucket",
+  "Severity": "critical",
+  "ResourceType": "storage.googleapis.com/Bucket",
   "ResourceGroup": "storage",
-  "Description": "Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible",
-  "Risk": "Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.",
-  "RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/publicly-accessible-storage-buckets.html",
+  "Description": "**Cloud Storage buckets** are assessed for **anonymous or public access** by detecting permissions granted to broad principals like `allUsers` or `allAuthenticatedUsers` that make bucket data reachable without authentication.",
+  "Risk": "**Public buckets** undermine **confidentiality** and **integrity**. Anyone can list or download objects; if write access exists, content can be overwritten or deleted. Abuse enables hotlinking and malware hosting, impacting **availability** and driving unexpected egress costs.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/publicly-accessible-storage-buckets.html",
+    "https://docs.cloud.google.com/storage/docs/public-access-prevention",
+    "https://docs.cloud.google.com/storage/docs/access-control/iam",
+    "https://docs.cloud.google.com/storage/docs/access-control/iam-reference",
+    "https://docs.cloud.google.com/storage/docs/using-uniform-bucket-level-access"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud storage buckets update gs://<example_resource_name> --public-access-prevention enforced",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/gcp/google-cloud-public-policies/bc_gcp_public_1",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-public-policies/bc_gcp_public_1#terraform"
+      "Other": "1. In Google Cloud Console, go to Storage > Buckets and open <example_resource_name>\n2. Click the Permissions tab\n3. Set Public access prevention to Enforced\n4. Click Save",
+      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  location = \"<LOCATION>\"\n\n  public_access_prevention = \"enforced\" # Critical: blocks allUsers/allAuthenticatedUsers, making the bucket not publicly accessible\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.",
-      "Url": "https://cloud.google.com/storage/docs/access-control/iam-reference"
+      "Text": "Adopt **least privilege**: remove `allUsers`/`allAuthenticatedUsers` and grant only required identities. Enforce **Public Access Prevention** and use uniform bucket-level access. *If external sharing is needed*, issue **signed URLs** or use an authenticated proxy/CDN, and review permissions regularly.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_public_access"
     }
   },
   "Categories": [

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json

@@ -1,30 +1,30 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudstorage_bucket_soft_delete_enabled",
-  "CheckTitle": "Cloud Storage buckets have Soft Delete enabled",
+  "CheckTitle": "Cloud Storage bucket has Soft Delete enabled",
   "CheckType": [],
   "ServiceName": "cloudstorage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "storage.googleapis.com/Bucket",
   "ResourceGroup": "storage",
-  "Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Soft Delete** is enabled. Soft Delete helps protect data from accidental or malicious deletion by retaining deleted objects for a specified duration, allowing recovery within that retention window.",
-  "Risk": "Buckets without Soft Delete enabled are at higher risk of irreversible data loss caused by accidental or unauthorized deletions, since deleted objects cannot be recovered once removed.",
+  "Description": "**Google Cloud Storage buckets** are assessed for **Soft Delete** being enabled with a non-zero retention window, meaning deleted objects are temporarily preserved and can be restored until the window expires.",
+  "Risk": "**No Soft Delete** makes object deletions **immediate and irreversible**, undermining data **availability** and **integrity**. Accidental removal, compromised credentials, wiper malware, or misconfigured lifecycle rules can erase datasets with no recovery path, breaking RPO/RTO and legal retention expectations.",
   "RelatedUrl": "",
   "AdditionalURLs": [
-    "https://cloud.google.com/storage/docs/soft-delete",
-    "https://cloud.google.com/blog/products/storage-data-transfer/understanding-cloud-storages-new-soft-delete-feature"
+    "https://docs.cloud.google.com/storage/docs/soft-delete",
+    "https://docs.cloud.google.com/storage/docs/use-soft-delete"
   ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --soft-delete-retention-duration=<SECONDS>",
+      "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --soft-delete-duration=<SECONDS>",
       "NativeIaC": "",
-      "Other": "1) Open Google Cloud Console → Storage → Buckets → <BUCKET_NAME>\n2) Tab 'Configuration'\n3) Under 'Soft Delete', click 'Enable Soft Delete'\n4) Set the desired retention duration and save changes",
-      "Terraform": "```hcl\n# Example: enable Soft Delete on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  soft_delete_policy {\n    retention_duration_seconds = 604800  # 7 days\n  }\n}\n```"
+      "Other": "1. In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>\n2. Click the Configuration tab\n3. In the Soft Delete section, click Enable Soft Delete\n4. Set a retention duration > 0 and click Save",
+      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"<example_resource_name>\" {\n  name     = \"<example_resource_id>\"\n  location = \"<LOCATION>\"\n\n  soft_delete_policy {\n    retention_duration_seconds = 604800 # Critical: >0 enables Soft Delete (7 days)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Soft Delete on Cloud Storage buckets to retain deleted objects for a defined period, improving data recoverability and resilience against accidental or malicious deletions.",
+      "Text": "Enable **Soft Delete** with a retention window aligned to your RPO/RTO. Apply **least privilege** for delete/undelete actions and use **defense in depth** with object versioning and retention policies. Monitor deletion events and regularly test restore procedures to ensure recoverability.",
       "Url": "https://hub.prowler.com/check/cloudstorage_bucket_soft_delete_enabled"
     }
   },

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json

@@ -13,7 +13,7 @@
   "Risk": "Insufficient or missing retention allows premature deletion or modification of objects, weakening data recovery and compliance with retention requirements.",
   "RelatedUrl": "",
   "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/sufficient-retention-period.html"
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/sufficient-retention-period.html"
   ],
   "Remediation": {
     "Code": {