Overview of Security Health Analytics

Security Health Analytics is a managed service of Security Command Center that scans your cloud environments for common misconfigurations that might expose you to attack.

Security Health Analytics is automatically enabled when you activate Security Command Center.

Security Health Analytics features by tier

The Security Health Analytics features that are available to you differ depending on the service tier at which Security Command Center is enabled.

Standard tier features

In the Standard tier, Security Health Analytics can detect only a basic group of medium-severity and high-severity vulnerabilities. For a list of the finding categories that Security Health Analytics detects with the Standard tier, see The Standard service tier.

Premium tier features

The Premium tier includes the following features:

• All detectors for Google Cloud, as well as a number of other vulnerability detection features, such as the ability to create custom detection modules.
• Findings are mapped to compliance controls for compliance reporting. For more information, see Detectors and compliance.
• Security Command Center attack path simulations calculate attack exposure scores and potential attack paths for most Security Health Analytics findings. For more information, see Overview of attack exposure scores and attack paths.

For a list of all Premium tier features, see Premium tier.

Enterprise tier features

The Enterprise tier includes all of the Premium tier features, as well as detectors for other cloud service provider platforms.

Switching tiers

Most Security Health Analytics detectors are available only in the Security Command Center Premium tier and Enterprise tier. If you are using the Premium or Enterprise tier and plan to switch to the Standard tier, we recommend that you resolve all findings before changing your tier.

When a Premium or Enterprise trial ends or you downgrade to the Standard tier from either the Premium tier or the Enterprise tier, the state of the findings that were generated at the higher tier is set to INACTIVE.

Multicloud support

Security Health Analytics can detect misconfigurations in your deployments on other cloud platforms.

Security Health Analytics supports the following other cloud service providers:

• Amazon Web Services (AWS)

To run the detectors on AWS, you first need to connect Security Command Center to AWS, as described in Connect to AWS for vulnerability detection and risk assessment.

Supported Google Cloud cloud services

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across the following Google Cloud services:

• Cloud Monitoring and Cloud Logging
• Compute Engine
• Google Kubernetes Engine containers and networks
• Cloud Storage
• Cloud SQL
• Identity and Access Management (IAM)
• Cloud Key Management Service (Cloud KMS)
• Cloud DNS

Security Health Analytics scan types

Security Health Analytics scans run in three modes:

• Batch scan: All detectors are scheduled to run for all enrolled organizations or projects once a day.

• Real-time scan: For Google Cloud deployments only, supported detectors start scans whenever a change is detected in a resource's configuration. Findings are written to Security Command Center. Real-time scans are not supported for deployments on other cloud platforms.

• Mixed-mode: Some detectors that support real-time scans might not detect changes in real time for all supported resource types. In those cases, configuration changes for some resource types are captured immediately and others are captured in batch scans. Exceptions are noted in the tables of Security Health Analytics findings.

Security Health Analytics detectors

Security Health Analytics uses detectors to identify vulnerabilities and misconfigurations in your cloud environment. Each detector corresponds to a finding category.

Security Health Analytics comes with many built-in detectors that check for vulnerabilities and misconfigurations across a large number of categories and resource types.

You can also create your own custom detectors that can check for vulnerabilities or misconfigurations that are not covered by the built-in detectors or that are specific to your environment.

For more information about the built-in Security Health Analytics detectors, see Security Health Analytics built-in detectors.

For more information about creating and using custom modules, see Security Health Analytics custom modules.

Detector enablement

Not all Security Health Analytics built-in detectors for Google Cloud are enabled by default.

If you are using the Enterprise tier with multicloud support, all of the detectors for AWS are enabled by default.

To turn on inactive built-in detectors, see Enable and disable detectors.

To enable or disable a Security Health Analytics custom detection module, you can update the custom module by using the Google Cloud console, the gcloud CLI, or the Security Command Center API.

For more information about updating Security Health Analytics custom modules, see Update a custom module.

Detector support with project-level activations

With the Standard and Premium tiers, you can activate Security Command Center for an entire organization, or for one or more projects within an organization.

The Enterprise tier does not support project level activations.

Built-in detectors and project-level activations

When you enable Security Command Center for a project only, certain built-in Security Health Analytics detectors are not supported because they require organization-level permissions.

Of the built-in detectors that require an organization-level activation, you can enable those that are available with the Standard tier of Security Command Center for project-level activations by enabling the Standard tier for your organization, which is free of charge.

Built-in detectors that require both the Premium tier and organization-level permissions are not supported with project-level activations.

For a list of the built-in Standard-tier detectors that require an organization-level activation of Security Command Center Standard before they can be used with a project-level activation, see Organization-level Standard tier finding categories.

For a list of built-in Premium-tier detectors that are not supported with project-level activations, see Unsupported Security Health Analytics findings.

Custom module detectors and project-level activations

The scans of custom module detectors that you create in a project are limited to the scope of the project, regardless of the activation level of Security Command Center. Custom module detectors can scan only the resources that are available to the project in which they are created.

For more information about custom modules, see Security Health Analytics custom modules.

Security Health Analytics built-in detectors

This section describes the high-level categories of the detectors, listed by cloud platform and the finding category that they generate.

Built-in detectors for Google Cloud by high-level category

The Security Health Analytics detectors for Google Cloud, and the findings that they issue, are grouped into the following high-level categories.

Security Health Analytics detectors monitor a subset of the Google Cloud resource types that are supported by Cloud Asset Inventory.

To see the individual detectors that are included in each category, click the category name.

• API key vulnerability findings
• Compute image vulnerability findings
• Compute instance vulnerability findings
• Container vulnerability findings
• Dataproc vulnerability findings
• Dataset vulnerability findings
• DNS vulnerability findings
• Firewall vulnerability findings
• IAM vulnerability findings
• KMS vulnerability findings
• Logging vulnerability findings
• Monitoring vulnerability findings
• Multi-factor authentication vulnerability findings
• Network vulnerability findings
• Organization Policy vulnerability findings
• Pub/Sub vulnerability findings
• SQL vulnerability findings
• Storage vulnerability findings
• Subnetwork vulnerability findings

Built-in detectors for AWS

A list of all of the Security Health Analytics detectors for AWS, see AWS findings.

Security Health Analytics custom modules

Security Health Analytics custom modules are custom detectors for Google Cloud that extend the detection capabilities of Security Health Analytics beyond those provided by the built-in detectors.

Custom modules are not supported for other cloud platforms.

You can create custom modules by using the guided workflow in the Google Cloud console, or you can create the custom module definition yourself in a YAML file and then upload it to Security Command Center by using Google Cloud CLI commands or the Security Command Center API.

For a more information, see Overview of custom modules for Security Health Analytics.

Detectors and compliance

The Security Command Center measurement of compliance with security benchmarks is based in a large part on the findings produced by the Security Health Analytics vulnerability detectors.

Security Health Analytics monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Health Analytics checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Health Analytics detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Health Analytics adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

For more information about managing compliance, see Assess and report compliance with security standards.

Security standards supported on Google Cloud

Security Health Analytics maps detectors for Google Cloud to one or more of the following compliance standards:

• Center for Information Security (CIS) Controls 8.0
• CIS Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
• CIS Kubernetes Benchmark v1.5.1
• Cloud Controls Matrix (CCM) 4
• Health Insurance Portability and Accountability Act (HIPAA)
• International Organization for Standardization (ISO) 27001, 2022 and 2013
• National Institute of Standards and Technology (NIST) 800-53 R5 and R4
• NIST CSF 1.0
• Open Web Application Security Project (OWASP) Top Ten, 2021 and 2017
• Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
• System and Organization Controls (SOC) 2 2017 Trusted Services Criteria (TSC)

Security standards supported on AWS

Security Health Analytics maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

• CIS Amazon Web Services Foundations 2.0.0
• CIS Controls 8.0
• CCM 4
• HIPAA
• ISO 27001 2022
• NIST 800-53 R5
• NIST CSF 1.0
• PCI DSS 4.0 and 3.2.1
• SOC 2 2017 TSC

For more information about compliance, see Assess and report security benchmark compliance.