Cloud Storage services are protected by VPC Service Controls
cloudstorage_uses_vpc_service_controls
GCP Projects are evaluated to ensure they have VPC Service Controls enabled for Cloud Storage. VPC Service Controls establish security boundaries by restricting access to Cloud Storage resources to specific networks and trusted clients, preventing unauthorized data access and exfiltration.
Risk
Projects without VPC Service Controls protection for Cloud Storage may be vulnerable to unauthorized data access and exfiltration, even with proper IAM policies in place. VPC Service Controls provide an additional layer of network-level security that restricts API access based on the context of the request.
prowler gcp --checks cloudstorage_uses_vpc_service_controls
Recommendation
Enable VPC Service Controls for all Cloud Storage buckets by adding their projects to a service perimeter with storage.googleapis.com as a restricted service. This prevents data exfiltration and ensures API calls are only allowed from authorized networks.
Remediation
- Open Google Cloud Console → Security → VPC Service Controls
- Create a new service perimeter or select an existing one
- Add the relevant GCP projects to the perimeter's protected resources
- Add 'storage.googleapis.com' to the list of restricted services
- Configure appropriate ingress and egress rules
- Save the perimeter configuration
Source Code
Resource Type
cloudresourcemanager.googleapis.com/Project