This page describes the services and findings that the Security Command Center Risk Engine feature supports and the supportability limits it is subject to.
Risk Engine generates attack exposure scores and paths for the following:
- Supported finding categories in the
Vulnerability
andMisconfiguration
finding classes. For more information, see Supported finding categories. Toxic combination
class findings.- Resource instances of supported resource types that you designate as high value. For more information, see Resource types supported in high-value resource sets.
The following sections list the Security Command Center services and findings that are supported by Risk Engine.
Organization-level support only
The attack path simulations that Risk Engine uses to generate the attack exposure scores and attack paths require Security Command Center to be activated at the organization level. Attack path simulations are not supported with project-level activations of Security Command Center.
To view attack paths, your Google Cloud console view must be set to your organization. If you select a project or folder view in the Google Cloud console, you can see attack exposure scores, but you cannot see the attack paths.
Also, the IAM permissions that users need to view attack
paths must be granted at the organization level. At a minimum, users
must have the securitycenter.attackpaths.list
permission in a role
granted at the organization level. The least permissive predefined
IAM role that contains this permission is
Security Center Attack Paths Reader (securitycenter.attackPathsViewer
).
To see other roles that contain this permission, see IAM basic and predefined roles reference.
Size limits for organizations
For attack path simulations, Risk Engine limits the number of active assets and active findings that an organization can contain.
If an organization exceeds the limits shown in the following table, attack path simulations don't run.
Type of limit | Usage limit |
---|---|
Maximum number of active findings | 250,000,000 |
Maximum number of active assets | 26,000,000 |
If the assets, findings, or both in your organization are approaching these limits or exceed them, contact Cloud Customer Care to request an evaluation of your organization for a possible increase.
Google Cloud services included in attack path simulations
The simulations that Risk Engine runs can include the following Google Cloud services:
- Artifact Registry
- BigQuery
- Cloud Run functions
- Cloud Key Management Service
- Cloud Load Balancing
- Cloud NAT
- Cloud Router
- Cloud SQL
- Cloud Storage
- Compute Engine
- Identity and Access Management
- Google Kubernetes Engine
- Virtual Private Cloud, including subnets and firewall configurations
- Resource Manager
High-value resource set limits
A high-value resource set supports only certain resource types and can contain only a certain number of resource instances.
Instance limit for high-value resource sets
A high-value resource set for a cloud service provider platform can contain up to 1,000 resource instances.
Resource types supported in high-value resource sets
You can add only the following types of Google Cloud resources to a high-value resource set:
aiplatform.googleapis.com/Dataset
aiplatform.googleapis.com/Featurestore
aiplatform.googleapis.com/MetadataStore
aiplatform.googleapis.com/Model
aiplatform.googleapis.com/TrainingPipeline
bigquery.googleapis.com/Dataset
cloudfunctions.googleapis.com/CloudFunction
compute.googleapis.com/Instance
container.googleapis.com/Cluster
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
For a list of supported resource types for other cloud service providers, see Cloud service provider support.
Resource value configuration limit
You can create up to 100 resource value configurations per organization on Google Cloud.
Google Cloud resource types supported with data-sensitivity classifications
Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following data resource types:
bigquery.googleapis.com/Dataset
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
Supported finding categories
Attack path simulations generate attack exposure scores and attack paths for only the Security Command Center finding categories from the Security Command Center detection services that are listed in this section.
GKE Security Posture findings
The following GKE Security Posture finding categories are supported by attack path simulations:
- GKE runtime OS vulnerability
Mandiant Attack Surface Management findings
The following Mandiant Attack Surface Management finding categories are supported by attack path simulations:
- Software vulnerability
Risk Engine findings
The Toxic combination
finding category that is issued by
Risk Engine
supports attack exposure scores.
Security Health Analytics findings
The following Security Health Analytics findings are supported by attack path simulations on Google Cloud:
- Admin service account
- Auto repair disabled
- Auto upgrade disabled
- Binary authorization disabled
- Bucket policy only disabled
- Cluster private Google access disabled
- Cluster secrets encryption disabled
- Cluster shielded nodes disabled
- Compute project wide SSH keys allowed
- Compute Secure Boot disabled
- Compute Serial Ports Enabled
- COS not used
- Default service account used
- Full API access
- Master authorized networks disabled
- MFA not enforced
- Network policy disabled
- Nodepool secure boot disabled
- Open Cassandra port
- Open ciscosecure websm port
- Open directory services port
- Open DNS port
- Open elasticsearch port
- Open firewall
- Open FTP port
- Open HTTP port
- Open LDAP port
- Open Memcached port
- Open MongoDB port
- Open MySQL port
- Open NetBIOS port
- Open OracleDB port
- Open pop3 port
- Open PostgreSQL port
- Open RDP port
- Open Redis port
- Open SMTP port
- Open SSH port
- Open Telnet port
- Over privileged account
- Over privileged scopes
- Over privileged service account user
- Primitive roles used
- Private cluster disabled
- Public Bucket Acl
- Public IP address
- Public Log Bucket
- Release channel disabled
- Service account key not rotated
- User managed service account key
- Workload Identity disabled
VM Manager findings
The OS Vulnerability
finding category that is issued by
VM Manager
supports attack exposure scores.
Pub/Sub notification support
Changes to attack exposure scores cannot be used as a trigger for notifications to Pub/Sub.
Also findings sent to Pub/Sub when the findings are created do not include an attack exposure score because they are sent before a score can be calculated.
Multicloud support
Security Command Center can provide attack exposure scores and attack path visualizations for the following cloud service providers:
The vulnerability and misconfiguration detectors that attack path simulations support for other cloud service provider platforms depends on the detections that the Security Command Center detection services support on the platform.
Detector support differs for each cloud service provider.
AWS support
Security Command Center can calculate attack exposure scores and attack path visualizations for your resources on AWS.
AWS services supported by attack path simulations
The simulations can include the following AWS services:
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Simple Storage Service (S3)
- Web Application Firewall (WAFv2)
- Elastic Compute Cloud (EC2)
- Elastic Load Balancing (ELB & ELBv2)
- Relational Database Service (RDS)
- Key Management Service (KMS)
- Elastic Container Registry (ECR)
- Elastic Container Service (ECS)
- ApiGateway & ApiGatewayv2
- Organizations (Account Management Service)
- CloudFront
- AutoScaling
- Lambda
- DynamoDB
AWS resource types supported in high-value resource sets
You can add only the following types of AWS resources to a high-value resource set:
- DynamoDB table
- EC2 instance
- Lambda function
- RDS DBCluster
- RDS DBInstance
- S3 bucket
AWS resource types supported with data-sensitivity classifications
Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following AWS data resource types:
- Amazon S3 bucket
Finding support in Security Health Analytics for AWS
Attack path simulations provides scores and attack path visualizations for the following Security Health Analytics finding categories:
- Access keys rotated 90 days less
- Credentials unused 45 days greater disabled
- Default security group VPC restricts all traffic
- EC2 instance no public IP
- IAM password policy
- IAM password policy prevents password reuse
- IAM password policy requires minimum length 14 greater
- IAM user unused credentials check
- IAM users receive permissions groups
- KMS cmk not scheduled for deletion
- MFA delete enabled S3 buckets
- MFA enabled root user account
- Multi factor authentication MFA enabled all IAM users console
- No root user account access key exists
- No security groups allow ingress 0 remote server administration
- No security groups allow ingress 0 0 0 0 remote server administration
- One active access key available any single IAM user
- Public access given RDS instance
- Restricted common ports
- Restricted SSH
- Rotation customer created CMKS enabled
- Rotation customer created symmetric CMKS enabled
- S3 buckets configured block public access bucket settings
- S3 bucket policy set deny HTTP requests
- S3 default encryption KMS
- VPC default security group closed
EC2 Vulnerability Assessment findings
The Software vulnerability
finding category that is issued by EC2
Vulnerability
Assessment
supports attack exposure scores.
User interface support
You can work with attack exposure scores in either the Google Cloud console, the Security Operations console, or the Security Command Center API.
You can work with attack exposure scores and attack paths for toxic combination cases in the Security Operations console only.
You can create resource value configurations only on the Attack path simulations tab of the Security Command Center Settings page in the Google Cloud console.