feat(gcp): add cloudstorage_bucket_soft_delete_enabled check (#9028)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: lydiavilchez

prowler/CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Add OCI mapping to scan and check classes [(#8927)](https://github.com/prowler-cloud/prowler/pull/8927)
 - `codepipeline_project_repo_private` check for AWS provider [(#5915)](https://github.com/prowler-cloud/prowler/pull/5915)
 - `cloudstorage_bucket_versioning_enabled` check for GCP provider [(#9014)](https://github.com/prowler-cloud/prowler/pull/9014)
+- `cloudstorage_bucket_soft_delete_enabled` check for GCP provider [(#9028)](https://github.com/prowler-cloud/prowler/pull/9028)
 
 ### Changed
 - Update AWS Direct Connect service metadata to new format [(#8855)](https://github.com/prowler-cloud/prowler/pull/8855)

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_bucket_soft_delete_enabled",
+  "CheckTitle": "Cloud Storage buckets have Soft Delete enabled",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Soft Delete** is enabled. Soft Delete helps protect data from accidental or malicious deletion by retaining deleted objects for a specified duration, allowing recovery within that retention window.",
+  "Risk": "Buckets without Soft Delete enabled are at higher risk of irreversible data loss caused by accidental or unauthorized deletions, since deleted objects cannot be recovered once removed.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/storage/docs/soft-delete",
+    "https://cloud.google.com/blog/products/storage-data-transfer/understanding-cloud-storages-new-soft-delete-feature"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --soft-delete-retention-duration=<SECONDS>",
+      "NativeIaC": "",
+      "Other": "1) Open Google Cloud Console → Storage → Buckets → <BUCKET_NAME>\n2) Tab 'Configuration'\n3) Under 'Soft Delete', click 'Enable Soft Delete'\n4) Set the desired retention duration and save changes",
+      "Terraform": "```hcl\n# Example: enable Soft Delete on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  soft_delete_policy {\n    retention_duration_seconds = 604800  # 7 days\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable Soft Delete on Cloud Storage buckets to retain deleted objects for a defined period, improving data recoverability and resilience against accidental or malicious deletions.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_soft_delete_enabled"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json

@@ -0,0 +1,31 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
+    cloudstorage_client,
+)
+
+
+class cloudstorage_bucket_soft_delete_enabled(Check):
+    """
+    Ensure Cloud Storage buckets have Soft Delete enabled.
+
+    Reports PASS if a bucket has Soft Delete enabled (retentionDurationSeconds > 0),
+    otherwise FAIL.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for bucket in cloudstorage_client.buckets:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=bucket)
+            report.status = "FAIL"
+            report.status_extended = (
+                f"Bucket {bucket.name} does not have Soft Delete enabled."
+            )
+
+            if bucket.soft_delete_enabled:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Bucket {bucket.name} has Soft Delete enabled."
+                )
+
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py

@@ -43,6 +43,15 @@ def _get_buckets(self):
                             "enabled", False
                         )
 
+                        soft_delete_enabled = False
+                        soft_delete_policy = bucket.get("softDeletePolicy")
+                        if isinstance(soft_delete_policy, dict):
+                            retention = soft_delete_policy.get(
+                                "retentionDurationSeconds"
+                            )
+                            if retention and int(retention) > 0:
+                                soft_delete_enabled = True
+
                         self.buckets.append(
                             Bucket(
                                 name=bucket["name"],
@@ -56,6 +65,7 @@ def _get_buckets(self):
                                 project_id=project_id,
                                 lifecycle_rules=lifecycle_rules,
                                 versioning_enabled=versioning_enabled,
+                                soft_delete_enabled=soft_delete_enabled,
                             )
                         )
 
@@ -78,3 +88,4 @@ class Bucket(BaseModel):
     retention_policy: Optional[dict] = None
     lifecycle_rules: Optional[list[dict]] = None
     versioning_enabled: Optional[bool] = False
+    soft_delete_enabled: Optional[bool] = False

prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py

@@ -0,0 +1,186 @@
+from unittest import mock
+
+from tests.providers.gcp.gcp_fixtures import (
+    GCP_PROJECT_ID,
+    GCP_US_CENTER1_LOCATION,
+    set_mocked_gcp_provider,
+)
+
+
+class TestCloudStorageBucketSoftDeleteEnabled:
+    def test_no_buckets(self):
+        cloudstorage_client = mock.MagicMock()
+        cloudstorage_client.buckets = []
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled import (
+                cloudstorage_bucket_soft_delete_enabled,
+            )
+
+            check = cloudstorage_bucket_soft_delete_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_bucket_with_soft_delete_disabled(self):
+        cloudstorage_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled import (
+                cloudstorage_bucket_soft_delete_enabled,
+            )
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_service import (
+                Bucket,
+            )
+
+            cloudstorage_client.project_ids = [GCP_PROJECT_ID]
+            cloudstorage_client.region = GCP_US_CENTER1_LOCATION
+
+            cloudstorage_client.buckets = [
+                Bucket(
+                    name="soft-delete-disabled",
+                    id="soft-delete-disabled",
+                    region=GCP_US_CENTER1_LOCATION,
+                    uniform_bucket_level_access=True,
+                    public=False,
+                    retention_policy=None,
+                    project_id=GCP_PROJECT_ID,
+                    lifecycle_rules=[],
+                    versioning_enabled=False,
+                    soft_delete_enabled=False,
+                )
+            ]
+
+            check = cloudstorage_bucket_soft_delete_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Bucket {cloudstorage_client.buckets[0].name} does not have Soft Delete enabled."
+            )
+            assert result[0].resource_id == "soft-delete-disabled"
+            assert result[0].resource_name == "soft-delete-disabled"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID
+
+    def test_bucket_with_soft_delete_enabled(self):
+        cloudstorage_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled import (
+                cloudstorage_bucket_soft_delete_enabled,
+            )
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_service import (
+                Bucket,
+            )
+
+            cloudstorage_client.project_ids = [GCP_PROJECT_ID]
+            cloudstorage_client.region = GCP_US_CENTER1_LOCATION
+
+            cloudstorage_client.buckets = [
+                Bucket(
+                    name="with-soft-delete",
+                    id="with-soft-delete",
+                    region=GCP_US_CENTER1_LOCATION,
+                    uniform_bucket_level_access=True,
+                    public=False,
+                    retention_policy=None,
+                    project_id=GCP_PROJECT_ID,
+                    lifecycle_rules=[],
+                    versioning_enabled=True,
+                    soft_delete_enabled=True,
+                )
+            ]
+
+            check = cloudstorage_bucket_soft_delete_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Bucket {cloudstorage_client.buckets[0].name} has Soft Delete enabled."
+            )
+            assert result[0].resource_id == "with-soft-delete"
+            assert result[0].resource_name == "with-soft-delete"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID
+
+    def test_bucket_without_soft_delete_configured_treated_as_disabled(self):
+        cloudstorage_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled.cloudstorage_client",
+                new=cloudstorage_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_bucket_soft_delete_enabled.cloudstorage_bucket_soft_delete_enabled import (
+                cloudstorage_bucket_soft_delete_enabled,
+            )
+            from prowler.providers.gcp.services.cloudstorage.cloudstorage_service import (
+                Bucket,
+            )
+
+            cloudstorage_client.project_ids = [GCP_PROJECT_ID]
+            cloudstorage_client.region = GCP_US_CENTER1_LOCATION
+
+            cloudstorage_client.buckets = [
+                Bucket(
+                    name="no-soft-delete-policy",
+                    id="no-soft-delete-policy",
+                    region=GCP_US_CENTER1_LOCATION,
+                    uniform_bucket_level_access=True,
+                    public=False,
+                    retention_policy=None,
+                    project_id=GCP_PROJECT_ID,
+                    lifecycle_rules=[],
+                    versioning_enabled=False,
+                )
+            ]
+
+            check = cloudstorage_bucket_soft_delete_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Bucket {cloudstorage_client.buckets[0].name} does not have Soft Delete enabled."
+            )
+            assert result[0].resource_id == "no-soft-delete-policy"
+            assert result[0].resource_name == "no-soft-delete-policy"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID