Overview of Security Health Analytics

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across the following Google Cloud services:

  • Cloud Monitoring and Cloud Logging
  • Compute Engine
  • Google Kubernetes Engine containers and networks
  • Cloud Storage
  • Cloud SQL
  • Identity and Access Management (IAM)
  • Cloud Key Management Service (Cloud KMS)
  • Cloud DNS

Security Health Analytics is automatically enabled when you activate the Security Command Center Standard or Premium tier.

Standard and Premium tier support

Security Command Center is available in two service tiers: Standard and Premium.

In the Standard tier, Security Health Analytics can detect only a basic group of medium-severity and high-severity vulnerabilities. For a list of the finding categories that Security Health Analytics detects with the Standard tier, see The Standard service tier.

The Premium tier includes all Security Health Analytics vulnerability detectors, as well as a number of other vulnerability and threat detection features, such as the ability to create custom detection modules.

With the Premium tier, Security Command Center also calculates attack exposure scores and potential attack paths for most Security Health Analytics findings. For more information, see Overview of attack exposure scores and attack paths.

Security Health Analytics scan types

Security Health Analytics scans run in three modes:

  • Batch scan: All detectors are scheduled to run for all enrolled organizations or projects once a day.

  • Real-time scan: Supported detectors start scans whenever a change is detected in a resource's configuration. Findings are written to Security Command Center.

  • Mixed-mode: Some detectors that support real-time scans might not detect changes in real time for all supported resource types. In those cases, configuration changes for some resource types are captured immediately and others are captured in batch scans. Exceptions are noted in the tables of Security Health Analytics findings.

Security Health Analytics detectors

Security Health Analytics uses detectors to identify vulnerabilities and misconfigurations in your cloud environment. Each detector corresponds to a finding category.

Security Health Analytics comes with many built-in detectors that check for vulnerabilities and misconfigurations across a large number of categories and resource types.

You can also create your own custom detectors that can check for vulnerabilities or misconfigurations that are not covered by the built-in detectors or that are specific to your environment.

For more information about the built-in Security Health Analytics detectors, see Security Health Analytics built-in detectors.

For more information about creating and using custom modules, see Security Health Analytics custom modules.

Detector enablement

Not all Security Health Analytics built-in detectors are enabled by default.

To turn on inactive built-in detectors, see Enable and disable detectors.

To enable or disable a Security Health Analytics custom detection module, you can update the custom module by using the Google Cloud console, the gcloud CLI, or the Security Command Center API.

For more information about updating Security Health Analytics custom modules, see Update a custom module.

Detector support with project-level activations

You can activate Security Command Center for an entire organization, or for one or more projects within an organization.

Built-in detectors and project-level activations

When you enable Security Command Center for a project only, certain built-in Security Health Analytics detectors are not supported because they require organization-level permissions.

Of the built-in detectors that require an organization-level activation, you can enable those that are available with the Standard tier of Security Command Center for project-level activations by enabling the Standard tier for your organization, which is free of charge.

Built-in detectors that require both the Premium tier and organization-level permissions are not supported with project-level activations.

For a list of the built-in Standard-tier detectors that require an organization-level activation of Security Command Center Standard before they can be used with a project-level activation, see Organization-level Standard tier finding categories.

For a list of built-in Premium-tier detectors that are not supported with project-level activations, see Unsupported Security Health Analytics findings.

Custom module detectors and project-level activations

The scans of custom module detectors that you create in a project are limited to the scope of the project, regardless of the activation level of Security Command Center. Custom module detectors can scan only the resources that are available to the project in which they are created.

For more information about custom modules, see Security Health Analytics custom modules.

Security Health Analytics built-in detectors

Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory.

This section describes the predefined detector types, supported resources or asset types, compliance standards, and specific vulnerability finding types that Security Health Analytics can generate.

Security Health Analytics built-in detectors by resource type

The Security Health Analytics findings are grouped into the following high-level categories. To see the individual detectors that are included in each category, click the category name.

Security Health Analytics custom modules

Security Health Analytics custom modules are custom detectors that extend the detection capabilities of Security Health Analytics beyond those provided by the built-in detectors.

You can create custom modules by using the guided workflow in the Google Cloud console, or you can create the custom module definition yourself in a YAML file and then upload it to Security Command Center by using Google Cloud CLI commands or the Security Command Center API.

For a more information, see Overview of custom modules for Security Health Analytics.

Detectors and compliance

Most of Security Command Center's detectors are mapped to one or more of the following compliance standards:

CIS reviewed and certified the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center frequently adds support for new benchmark versions and standards. Older versions of the CIS Benchmark remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark available.