feat(gcp): add check to detect persistent disks on suspended VM instances (#9747)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: lydiavilchez

prowler/CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ## [5.18.0] (Prowler UNRELEASED)
 
+### Added
+
+- `compute_instance_suspended_without_persistent_disks` check for GCP provider [(#9747)](https://github.com/prowler-cloud/prowler/pull/9747)
+
 ### Changed
 
 - Update Azure App Service service metadata to new format [(#9613)](https://github.com/prowler-cloud/prowler/pull/9613)

prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/__init__.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "gcp",
+  "CheckID": "compute_instance_suspended_without_persistent_disks",
+  "CheckTitle": "Suspended VM instance does not have persistent disks attached",
+  "CheckType": [],
+  "ServiceName": "compute",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "compute.googleapis.com/Instance",
+  "ResourceGroup": "compute",
+  "Description": "This check identifies VM instances in a **SUSPENDED** or **SUSPENDING** state with persistent disks still attached.\n\nPersistent disks on suspended VMs remain accessible through the GCP API and could contain **sensitive data** while the instance is inactive, potentially creating security blind spots in long-forgotten infrastructure.",
+  "Risk": "Persistent disks on suspended VM instances remain accessible through the GCP API and may contain **sensitive data**, creating potential security risks:\n\n- **Unauthorized data access** if credentials are compromised or permissions are misconfigured\n- **Data exposure** from forgotten infrastructure that is no longer actively monitored\n- **Security blind spots** where suspended resources are overlooked during security reviews and audits",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/icompute/docs/instances/suspend-resume-instance",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/persistent-disks-attached-to-suspended-vms.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud compute instances delete INSTANCE_NAME --zone=ZONE",
+      "NativeIaC": "",
+      "Other": "1. Open the Google Cloud Console\n2. Navigate to Compute Engine > VM instances\n3. Identify suspended instances with attached disks\n4. If the instance is no longer needed, select it and click DELETE\n5. If the instance will be resumed, take no action or resume it with: gcloud compute instances resume INSTANCE_NAME --zone=ZONE",
+      "Terraform": "```hcl\n# To remediate, either delete the suspended instance or resume it\n# Delete by removing the resource from your Terraform configuration\n# Or resume by changing the desired_status\nresource \"google_compute_instance\" \"example_resource\" {\n  name         = \"example-instance\"\n  machine_type = \"e2-medium\"\n  zone         = \"us-central1-a\"\n\n  # Set desired_status to RUNNING to resume the instance\n  desired_status = \"RUNNING\"\n\n  boot_disk {\n    initialize_params {\n      image = \"debian-cloud/debian-11\"\n    }\n  }\n\n  network_interface {\n    network = \"default\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Regularly review suspended VM instances to reduce your attack surface. Either **resume** instances if still needed, or **delete** them along with their attached disks to eliminate potential data exposure. Implement automated policies to detect and alert on long-suspended instances as part of your security monitoring.",
+      "Url": "https://hub.prowler.com/check/compute_instance_suspended_without_persistent_disks"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [
+    "compute_instance_disk_auto_delete_disabled"
+  ],
+  "Notes": "This check is focused on security risks rather than cost optimization. Persistent disks on suspended VMs remain accessible and may contain sensitive data, creating potential unauthorized access risks."
+}

prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.metadata.json

@@ -0,0 +1,35 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.compute.compute_client import compute_client
+
+
+class compute_instance_suspended_without_persistent_disks(Check):
+    """
+    Ensure that VM instances in SUSPENDED state do not have persistent disks attached.
+
+    This check identifies VM instances that are in a SUSPENDED or SUSPENDING state
+    and have persistent disks still attached. Suspended VMs with attached disks
+    represent unused infrastructure that continues to incur storage costs.
+
+    - PASS: VM instance is not in SUSPENDED/SUSPENDING state, or is suspended but has no disks attached.
+    - FAIL: VM instance is in SUSPENDED/SUSPENDING state with persistent disks attached.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for instance in compute_client.instances:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=instance)
+            report.status = "PASS"
+            report.status_extended = f"VM Instance {instance.name} is not suspended."
+
+            if instance.status in ("SUSPENDED", "SUSPENDING"):
+                attached_disks = [disk.name for disk in instance.disks]
+
+                if attached_disks:
+                    report.status = "FAIL"
+                    report.status_extended = f"VM Instance {instance.name} is {instance.status.lower()} with {len(attached_disks)} persistent disk(s) attached: {', '.join(attached_disks)}."
+                else:
+                    report.status_extended = f"VM Instance {instance.name} is {instance.status.lower()} but has no persistent disks attached."
+
+            findings.append(report)
+
+        return findings

prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.py

@@ -198,6 +198,7 @@ def _get_instances(self, zone):
                                     "deletionProtection", False
                                 ),
                                 network_interfaces=network_interfaces,
+                                status=instance.get("status", "RUNNING"),
                                 on_host_maintenance=instance.get("scheduling", {}).get(
                                     "onHostMaintenance", "MIGRATE"
                                 ),
@@ -700,6 +701,7 @@ class Instance(BaseModel):
     provisioning_model: str = "STANDARD"
     deletion_protection: bool = False
     network_interfaces: list[NetworkInterface] = []
+    status: str = "RUNNING"
     on_host_maintenance: str = "MIGRATE"