feat(gcp): Add VPC Service Controls check for Cloud Storage

[lydiavilchez]

Context

This PR implements a new security check for Google Cloud Platform to verify that Cloud Storage buckets are protected by VPC Service Controls.

VPC Service Controls help prevent data exfiltration by creating security perimeters around Google Cloud services. This check ensures buckets are properly protected within these perimeters, reducing the risk of unauthorized data access even with compromised credentials.

(https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/use-vpc-service-controls.html).

Description

New Service: accesscontextmanager

• Created complete service integration with Access Context Manager API
• Lists access policies at organization level
• Retrieves service perimeters and their configurations

New Check: cloudstorage_bucket_uses_vpc_service_controls

• Verifies that Cloud Storage buckets are within a VPC Service Controls perimeter
• Checks that storage.googleapis.com is included in the perimeter's restricted services
• Returns:
  • PASS: Bucket's project is in a Service Perimeter protecting storage.googleapis.com
  • FAIL: Bucket's project is not protected or perimeter doesn't include Storage

Steps to review

1. Review the new Access Context Manager service:

   • Verify the service correctly lists access policies at organization level
   • Confirm proper handling of service perimeters pagination
   • Check that resources and restricted services are correctly extracted from API responses
   • Verify error handling for missing permissions or API errors

2. Review the check logic:

   • Verify the pre-processing approach correctly builds the protected projects mapping
   • Confirm the check correctly identifies buckets in protected projects
   • Check that storage.googleapis.com is properly validated in restricted services
   • Verify status messages are clear and include perimeter names

3. Review the metadata.

4. Run the tests locally:

   pytest tests/providers/gcp/services/cloudstorage/cloudstorage_bucket_uses_vpc_service_controls/ -v

Checklist

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.
• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 97.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.91%. Comparing base (127b8d8) to head (379f978).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9256      +/-   ##
==========================================
+ Coverage   92.54%   92.91%   +0.36%     
==========================================
  Files         154      123      -31     
  Lines       21231     2963   -18268     
==========================================
- Hits        19649     2753   -16896     
+ Misses       1582      210    -1372     

Flag	Coverage Δ
api	?
prowler-py3.10-gcp	92.84% <97.33%> (?)
prowler-py3.11-gcp	92.91% <97.33%> (?)
prowler-py3.12-gcp	92.84% <97.33%> (?)
prowler-py3.9-gcp	92.84% <97.33%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	92.91% <97.33%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:b51fc09
Last scan: 2025-11-26 13:44:37 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[danibarranqueroo]

Very great job! 🚀