chore(gcp): enhance metadata for dataproc service (#9642)

puchy22 · HugoPBrito · web-flow · commit 82be83c66893 · 2026-02-13T14:57:33.000+01:00
Co-authored-by: HugoPBrito &lt;hugopbrit@gmail.com&gt;
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
@@ -29,6 +29,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update GCP Cloud SQL service metadata to new format [(#9639)](https://github.com/prowler-cloud/prowler/pull/9639)
 - Update GCP Cloud Storage service metadata to new format [(#9640)](https://github.com/prowler-cloud/prowler/pull/9640)
 - Update GCP Compute Engine service metadata to new format [(#9641)](https://github.com/prowler-cloud/prowler/pull/9641)
+- Update GCP Dataproc service metadata to new format [(#9642)](https://github.com/prowler-cloud/prowler/pull/9642)
 
 ### 🔐 Security
 
diff --git a/prowler/providers/gcp/services/dataproc/dataproc_encrypted_with_cmks_disabled/dataproc_encrypted_with_cmks_disabled.metadata.json b/prowler/providers/gcp/services/dataproc/dataproc_encrypted_with_cmks_disabled/dataproc_encrypted_with_cmks_disabled.metadata.json
@@ -1,32 +1,34 @@
 {
   "Provider": "gcp",
   "CheckID": "dataproc_encrypted_with_cmks_disabled",
-  "CheckTitle": "Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key",
+  "CheckTitle": "Dataproc cluster is encrypted with a customer-managed encryption key (CMEK)",
   "CheckType": [],
   "ServiceName": "dataproc",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Cluster",
-  "ResourceGroup": "container",
-  "Description": "When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).",
-  "Risk": "The Dataproc cluster data is encrypted using a Google-generated Data Encryption Key (DEK) and a Key Encryption Key (KEK). If you need to control and manage your cluster data encryption yourself, you can use your own Customer-Managed Keys (CMKs). Cloud KMS Customer-Managed Keys can be implemented as an additional security layer on top of existing data encryption, and are often used in the enterprise world, where compliance and security controls are very strict.",
+  "Severity": "medium",
+  "ResourceType": "dataproc.googleapis.com/Cluster",
+  "Description": "Dataproc clusters use **Customer-Managed Encryption Keys** (`CMEK`) for VM **persistent disk** encryption. The finding determines whether a customer KMS key is configured for disk data instead of the default Google-managed keys.",
+  "Risk": "Without **CMEK** on Dataproc disks, keys remain provider-controlled, limiting **rotation**, **revocation**, and **location control**. This reduces containment if disks or snapshots are exposed and may block **data sovereignty** requirements, impacting **confidentiality** and incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/Dataproc/enable-encryption-with-cmks-for-dataproc-clusters.html",
+    "https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/Dataproc/enable-encryption-with-cmks-for-dataproc-clusters.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/ensure-gcp-dataproc-cluster-is-encrypted-with-customer-supplied-encryption-keys-cseks#terraform"
+      "Other": "1. In Google Cloud Console, go to Dataproc > Clusters\n2. Click Create cluster\n3. In Cluster configuration, open Security (or Encryption)\n4. For Disk encryption key, select Customer-managed key and choose your Cloud KMS key\n5. Click Create\n6. Migrate workloads to the new cluster and delete the old non-CMEK cluster",
+      "Terraform": "```hcl\nresource \"google_dataproc_cluster\" \"<example_resource_name>\" {\n  name   = \"<example_resource_name>\"\n  region = \"<example_region>\"\n\n  cluster_config {\n    encryption_config {\n      gce_pd_kms_key_name = \"projects/<example_project_id>/locations/<example_region>/keyRings/<example_keyring_name>/cryptoKeys/<example_key_name>\" # FIX: Sets CMEK for persistent disks to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that your Google Cloud Dataproc clusters on Compute Engine are encrypted with Customer-Managed Keys (CMKs) in order to control the cluster data encryption/decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.",
-      "Url": "https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption"
+      "Text": "Enable **CMEK** for Dataproc disk, job-argument, and staging-bucket encryption.\n- Grant KMS access with **least privilege** to required service accounts\n- Enforce **regular rotation** and support **revocation/disable** procedures\n- Keep keys co-located with data and monitor KMS usage\n- Consider **Cloud EKM** for external key control",
+      "Url": "https://hub.prowler.com/check/dataproc_encrypted_with_cmks_disabled"
     }
   },
   "Categories": [
-    "encryption",
-    "gen-ai"
+    "encryption"
   ],
   "DependsOn": [],
   "RelatedTo": [],
