Rapid Vulnerability Detection, Security Health Analytics, and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.
Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.
Detectors and compliance
Most of Security Command Center's detectors are mapped to one or more of the following compliance standards:
- Center for Information Security (CIS) Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
- Payment Card Industry Data Security Standard 3.2.1
- National Institute of Standards and Technology 800-53
- International Organization for Standardization 27001
- Open Web Application Security Project (OWASP) Top Ten
CIS reviewed and certified the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.
Security Command Center frequently adds support for new benchmark versions and standards. Older versions of the CIS Benchmark remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark available.
For instructions on viewing and exporting compliance reports, see the Compliance section in Using Security Command Center in the Google Cloud console.
Finding deactivation after remediation
After you remediate a vulnerability or misconfiguration finding, the
Security Command Center service that detected the finding automatically sets
the state of the finding to INACTIVE
the next time the detection service
scans for the finding. How long Security Command Center takes to set a
remediated finding to INACTIVE
depends on the schedule of the scan that
detects the finding.
The Security Command Center services also set the state of a vulnerability
or misconfiguration finding to INACTIVE
when a scan detects that the
resource that is affected by the finding is deleted.
For more information about scan intervals, see the following topics:
- Security Health Analytics scan types
- Rapid Vulnerability Detection scan latency and interval
- Web Security Scanner scan types
Security Health Analytics findings
Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.
For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.
The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes by using the Security Command Center Vulnerabilities page in the Google Cloud console.
For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.
API key vulnerability findings
The API_KEY_SCANNER
detector identifies vulnerabilities related to
API keys used in your cloud deployment.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
API key APIs unrestricted
Category name in the API: |
Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 1.12 CIS GCP Foundation 1.1: 1.14 CIS GCP Foundation 1.2: 1.14 CIS GCP Foundation 1.3: 1.14 CIS GCP Foundation 2.0: 1.14 |
API key apps unrestricted
Category name in the API: |
Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 1.11 CIS GCP Foundation 1.1: 1.13 CIS GCP Foundation 1.2: 1.13 CIS GCP Foundation 1.3: 1.13 CIS GCP Foundation 2.0: 1.13 |
API key exists
Category name in the API: |
Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium
Supported assets |
Retrieves all API keys owned by a project.
|
CIS GCP Foundation 1.0: 1.10 CIS GCP Foundation 1.1: 1.12 CIS GCP Foundation 1.2: 1.12 CIS GCP Foundation 1.3: 1.12 CIS GCP Foundation 2.0: 1.12 |
API key not rotated
Category name in the API: |
Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets |
Retrieves the timestamp contained in the
|
CIS GCP Foundation 1.0: 1.13 CIS GCP Foundation 1.1: 1.15 CIS GCP Foundation 1.2: 1.15 CIS GCP Foundation 1.3: 1.15 CIS GCP Foundation 2.0: 1.15 |
Cloud Asset Inventory vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Asset Inventory
configurations and belong to the CLOUD_ASSET_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Cloud Asset API disabled
Category name in the API: |
Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks if the Cloud Asset Inventory service is enabled.
|
CIS GCP Foundation 1.3: 2.13 CIS GCP Foundation 2.0: 2.13 |
Compute image vulnerability findings
The COMPUTE_IMAGE_SCANNER
detector identifies vulnerabilities related to
Google Cloud image configurations.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Public Compute image
Category name in the API: |
Finding description: A Compute Engine image is publicly accessible. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM allow policy in resource
metadata for the principals
|
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER
detector identifies vulnerabilities related to
Compute Engine instance configurations.
COMPUTE_INSTANCE_SCANNER
detectors don't report findings on
Compute Engine instances created by GKE. Such instances have names that
start with "gke-", which users cannot edit. To secure these instances, refer to the
Container vulnerability findings section.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Confidential Computing disabled
Category name in the API: |
Finding description: Confidential Computing is disabled on a Compute Engine instance. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 4.11 CIS GCP Foundation 1.3: 4.11 CIS GCP Foundation 2.0: 4.11 |
Compute project wide SSH keys allowed
Category name in the API: |
Finding description: Project-wide SSH keys are used, allowing login to all instances in the project. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.2 CIS GCP Foundation 1.1: 4.3 CIS GCP Foundation 1.2: 4.3 CIS GCP Foundation 1.3: 4.3 CIS GCP Foundation 2.0: 4.3 |
Compute Secure Boot disabled
Category name in the API: |
Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. Pricing tier: Premium Supported assets |
Checks the
|
|
Compute serial ports enabled
Category name in the API: |
Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.4 CIS GCP Foundation 1.1: 4.5 CIS GCP Foundation 1.2: 4.5 CIS GCP Foundation 1.3: 4.5 CIS GCP Foundation 2.0: 4.5 |
Default service account used
Category name in the API: |
Finding description: An instance is configured to use the default service account. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 4.1 CIS GCP Foundation 1.2: 4.1 CIS GCP Foundation 1.3: 4.1 CIS GCP Foundation 2.0: 4.1 |
Disk CMEK disabled
Category name in the API: |
Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
Disk CSEK disabled
Category name in the API: |
Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.6 CIS GCP Foundation 1.1: 4.7 CIS GCP Foundation 1.2: 4.7 CIS GCP Foundation 1.3: 4.7 CIS GCP Foundation 2.0: 4.7 |
Full API access
Category name in the API: |
Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 4.1 CIS GCP Foundation 1.1: 4.2 CIS GCP Foundation 1.2: 4.2 CIS GCP Foundation 1.3: 4.2 CIS GCP Foundation 2.0: 4.2 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
HTTP load balancer
Category name in the API: |
Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Determines if the
|
PCI-DSS v3.2.1: 2.3 |
IP forwarding enabled
Category name in the API: |
Finding description: IP forwarding is enabled on instances. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 4.5 CIS GCP Foundation 1.1: 4.6 CIS GCP Foundation 1.2: 4.6 CIS GCP Foundation 1.3: 4.6 CIS GCP Foundation 2.0: 4.6 |
OS login disabled
Category name in the API: |
Finding description: OS Login is disabled on this instance. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.3 CIS GCP Foundation 1.1: 4.4 CIS GCP Foundation 1.2: 4.4 CIS GCP Foundation 1.3: 4.4 CIS GCP Foundation 2.0: 4.4 |
Public IP address
Category name in the API: |
Finding description: An instance has a public IP address. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 4.9 CIS GCP Foundation 1.2: 4.9 CIS GCP Foundation 1.3: 4.9 CIS GCP Foundation 2.0: 4.9 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: CA-3, SC-7 |
Shielded VM disabled
Category name in the API: |
Finding description: Shielded VM is disabled on this instance. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 4.8 CIS GCP Foundation 1.2: 4.8 CIS GCP Foundation 1.3: 4.8 CIS GCP Foundation 2.0: 4.8 |
Weak SSL policy
Category name in the API: |
Finding description: An instance has a weak SSL policy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether
|
CIS GCP Foundation 1.1: 3.9 CIS GCP Foundation 1.2: 3.9 CIS GCP Foundation 1.3: 3.9 CIS GCP Foundation 2.0: 3.9 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.14.1.3 |
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Alpha cluster enabled
Category name in the API: |
Finding description: Alpha cluster features are enabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GKE 1.0: 6.10.2 |
Auto repair disabled
Category name in the API: |
Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.7 CIS GKE 1.0: 6.5.2 PCI-DSS v3.2.1: 2.2 |
Auto upgrade disabled
Category name in the API: |
Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.8 CIS GKE 1.0: 6.5.3 PCI-DSS v3.2.1: 2.2 |
Binary authorization disabled
Category name in the API: |
Finding description: Binary Authorization is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
|
Cluster logging disabled
Category name in the API: |
Finding description: Logging isn't enabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.7.1 PCI-DSS v3.2.1: 10.2.2, 10.2.7 |
Cluster monitoring disabled
Category name in the API: |
Finding description: Monitoring is disabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.2 CIS GKE 1.0: 6.7.1 PCI-DSS v3.2.1: 10.1, 10.2 |
Cluster private Google access disabled
Category name in the API: |
Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3 |
Cluster secrets encryption disabled
Category name in the API: |
Finding description: Application-layer secrets encryption is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.3.1 |
Cluster shielded nodes disabled
Category name in the API: |
Finding description: Shielded GKE nodes are not enabled for a cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.5 |
COS not used
Category name in the API: |
Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.9 CIS GKE 1.0: 6.5.1 PCI-DSS v3.2.1: 2.2 |
Integrity monitoring disabled
Category name in the API: |
Finding description: Integrity monitoring is disabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.6 |
Intranode visibility disabled
Category name in the API: |
Finding description: Intranode visibility is disabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.6.1 |
IP alias disabled
Category name in the API: |
Finding description: A GKE cluster was created with alias IP ranges disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.2 PCI-DSS v3.2.1: 1.3.4, 1.3.7 |
Legacy authorization enabled
Category name in the API: |
Finding description: Legacy Authorization is enabled on GKE clusters. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.3 CIS GKE 1.0: 6.8.3 PCI-DSS v3.2.1: 4.1 |
Legacy metadata enabled
Category name in the API: |
Finding description: Legacy metadata is enabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.4.1 |
Master authorized networks disabled
Category name in the API: |
Finding description: Control Plane Authorized Networks is not enabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.4 CIS GKE 1.0: 6.6.3 PCI-DSS v3.2.1: 1.2.1, 1.3.2 |
Network policy disabled
Category name in the API: |
Finding description: Network policy is disabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Nodepool boot CMEK disabled
Category name in the API: |
Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
Nodepool secure boot disabled
Category name in the API: |
Finding description: Secure Boot is disabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.7 |
Over privileged account
Category name in the API: |
Finding description: A service account has overly broad project access in a cluster. Pricing tier: Premium
Supported assets |
Evaluates the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.2.1 PCI-DSS v3.2.1: 2.1, 7.1.2 NIST 800-53: AC-6, SC-7 ISO-27001: A.9.2.3 |
Over privileged scopes
Category name in the API: |
Finding description: A node service account has broad access scopes. Pricing tier: Premium
Supported assets |
Checks whether the access scope listed in the
config.oauthScopes property of a node pool is
a limited service account access scope:
https://www.googleapis.com/auth/devstorage.read_only ,
https://www.googleapis.com/auth/logging.write ,
or
https://www.googleapis.com/auth/monitoring .
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.2.1 |
Pod security policy disabled
Category name in the API: |
Finding description: PodSecurityPolicy is disabled on a GKE cluster. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.10.3 |
Private cluster disabled
Category name in the API: |
Finding description: A GKE cluster has a Private cluster disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.5 PCI-DSS v3.2.1: 1.3.2 |
Release channel disabled
Category name in the API: |
Finding description: A GKE cluster is not subscribed to a release channel. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.4 |
Web UI enabled
Category name in the API: |
Finding description: The GKE web UI (dashboard) is enabled. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.6 CIS GKE 1.0: 6.10.1 PCI-DSS v3.2.1: 6.6 |
Workload Identity disabled
Category name in the API: |
Finding description: Workload Identity is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GKE 1.0: 6.2.2 |
Dataproc vulnerability findings
Vulnerabilities of this detector type all relate to Dataproc and belong to the
DATAPROC_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Dataproc CMEK disabled
Category name in the API: |
Finding description: A Dataproc cluster was created without an encryption configuration CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.3: 1.17 CIS GCP Foundation 2.0: 1.17 |
Dataproc image outdated
Category name in the API: |
Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
BigQuery table CMEK disabled
Category name in the API: |
Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.2: 7.2 CIS GCP Foundation 1.3: 7.2 CIS GCP Foundation 2.0: 7.2 |
Dataset CMEK disabled
Category name in the API: |
Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.2: 7.3 CIS GCP Foundation 1.3: 7.3 CIS GCP Foundation 2.0: 7.3 |
Public dataset
Category name in the API: |
Finding description: A dataset is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM allow policy in resource
metadata for the principals
|
CIS GCP Foundation 1.1: 7.1 CIS GCP Foundation 1.2: 7.1 CIS GCP Foundation 1.3: 7.1 CIS GCP Foundation 2.0: 7.1 PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3 |
DNS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud DNS configurations,
and belong to the DNS_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
DNSSEC disabled
Category name in the API: |
Finding description: DNSSEC is disabled for Cloud DNS zones. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.3 CIS GCP Foundation 1.1: 3.3 CIS GCP Foundation 1.2: 3.3 CIS GCP Foundation 1.3: 3.3 CIS GCP Foundation 2.0: 3.3 ISO-27001: A.8.2.3 |
RSASHA1 for signing
Category name in the API: |
Finding description: RSASHA1 is used for key signing in Cloud DNS zones. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.4, 3.5 CIS GCP Foundation 1.1: 3.4, 3.5 CIS GCP Foundation 1.2: 3.4, 3.5 CIS GCP Foundation 1.3: 3.4, 3.5 CIS GCP Foundation 2.0: 3.4, 3.5 |
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Egress deny rule not set
Category name in the API: |
Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 7.2 |
Firewall rule logging disabled
Category name in the API: |
Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1 |
Open Cassandra port
Category name in the API: |
Finding description: A firewall is configured to have an open Cassandra port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open ciscosecure websm port
Category name in the API: |
Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open directory services port
Category name in the API: |
Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open DNS port
Category name in the API: |
Finding description: A firewall is configured to have an open DNS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open elasticsearch port
Category name in the API: |
Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open firewall
Category name in the API: |
Finding description: A firewall is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets |
Checks the
| PCI-DSS v3.2.1: 1.2.1 |
Open FTP port
Category name in the API: |
Finding description: A firewall is configured to have an open FTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open HTTP port
Category name in the API: |
Finding description: A firewall is configured to have an open HTTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open LDAP port
Category name in the API: |
Finding description: A firewall is configured to have an open LDAP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open Memcached port
Category name in the API: |
Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open MongoDB port
Category name in the API: |
Finding description: A firewall is configured to have an open MONGODB port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open MySQL port
Category name in the API: |
Finding description: A firewall is configured to have an open MYSQL port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open NetBIOS port
Category name in the API: |
Finding description: A firewall is configured to have an open NETBIOS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open OracleDB port
Category name in the API: |
Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open pop3 port
Category name in the API: |
Finding description: A firewall is configured to have an open POP3 port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open PostgreSQL port
Category name in the API: |
Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open RDP port
Category name in the API: |
Finding description: A firewall is configured to have an open RDP port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 3.7 CIS GCP Foundation 1.1: 3.7 CIS GCP Foundation 1.2: 3.7 CIS GCP Foundation 1.3: 3.7 CIS GCP Foundation 2.0: 3.7 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open Redis port
Category name in the API: |
Finding description: A firewall is configured to have an open REDIS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open SMTP port
Category name in the API: |
Finding description: A firewall is configured to have an open SMTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open SSH port
Category name in the API: |
Finding description: A firewall is configured to have an open SSH port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.6 CIS GCP Foundation 1.1: 3.6 CIS GCP Foundation 1.2: 3.6 CIS GCP Foundation 1.3: 3.6 CIS GCP Foundation 2.0: 3.6 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open Telnet port
Category name in the API: |
Finding description: A firewall is configured to have an open TELNET port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Identity and Access Management (IAM)
configuration, and belong to the IAM_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Access Transparency disabled
Category name in the API: |
Finding description: Google Cloud Access Transparency is disabled for your organization. Access Transparency logs when Google Cloud employees access the projects in your organization to provide support. Enable Access Transparency to log who from Google Cloud is accessing your information, when, and why. Pricing tier: Premium
Supported assets |
Checks if your organization has Access Transparency enabled.
|
CIS GCP Foundation 1.3: 2.14 CIS GCP Foundation 2.0: 2.14 |
Admin service account
Category name in the API: |
Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any user-created service accounts (indicated
by the prefix iam.gserviceaccount.com),
that are assigned
|
CIS GCP Foundation 1.0: 1.4 CIS GCP Foundation 1.1: 1.5 CIS GCP Foundation 1.2: 1.5 CIS GCP Foundation 1.3: 1.5 CIS GCP Foundation 2.0: 1.5 |
Essential Contacts Not Configured
Category name in the API: |
Finding description: Your organization has not designated a person or group to receive notifications from Google Cloud about important events such as attacks, vulnerabilities, and data incidents within your Google Cloud organization. We recommend that you designate as an Essential Contact one or more persons or groups in your business organization. Pricing tier: Premium
Supported assets |
Checks that a contact is specified for the following essential contact categories:
|
CIS GCP Foundation 1.3: 1.16 CIS GCP Foundation 2.0: 1.16 |
KMS role separation
Category name in the API: |
Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks IAM allow policies in resource metadata
and retrieves principals assigned any of the following
roles at the same time:
roles/cloudkms.cryptoKeyEncrypterDecrypter ,
roles/cloudkms.cryptoKeyEncrypter , and
roles/cloudkms.cryptoKeyDecrypter ,
roles/cloudkms.signer ,
roles/cloudkms.signerVerifier ,
roles/cloudkms.publicKeyViewer .
|
CIS GCP Foundation 1.0: 1.9 CIS GCP Foundation 1.1: 1.11 CIS GCP Foundation 2.0: 1.11 NIST 800-53: AC-5 ISO-27001: A.9.2.3, A.10.1.2 |
Non org IAM member
Category name in the API: |
Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. Pricing tier: Premium or Standard
Supported assets |
Compares @gmail.com email addresses in the
|
CIS GCP Foundation 1.0: 1.1 CIS GCP Foundation 1.1: 1.1 CIS GCP Foundation 1.2: 1.1 CIS GCP Foundation 1.3: 1.1 CIS GCP Foundation 2.0: 1.1 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-3 ISO-27001: A.9.2.3 |
Open group IAM member
Category name in the API: |
Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM
policy in resource
metadata for any bindings
containing a member (principal) that's prefixed with group . If the
group is an open group, Security Health Analytics generates this finding.
|
|
Over privileged service account user
Category name in the API: |
Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any principals assigned
roles/iam.serviceAccountUser or
roles/iam.serviceAccountTokenCreator at the
project level.
|
CIS GCP Foundation 1.0: 1.5 CIS GCP Foundation 1.1: 1.6 CIS GCP Foundation 1.2: 1.6 CIS GCP Foundation 1.3: 1.6 CIS GCP Foundation 2.0: 1.6 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
Primitive roles used
Category name in the API: |
Finding description: A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any principals assigned
|
PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
Redis role used on org
Category name in the API: |
Finding description: A Redis IAM role is assigned at the organization or folder level. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets
|
Checks the IAM allow policy in resource
metadata for principals assigned
|
PCI-DSS v3.2.1: 7.1.2 ISO-27001: A.9.2.3 |
Service account role separation
Category name in the API: |
Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any principals assigned both
roles/iam.serviceAccountUser and
roles/iam.serviceAccountAdmin .
|
CIS GCP Foundation 1.0: 1.7 CIS GCP Foundation 1.1: 1.8 CIS GCP Foundation 1.2: 1.8 CIS GCP Foundation 1.3: 1.8 CIS GCP Foundation 2.0: 1.8 NIST 800-53: AC-5 ISO-27001: A.9.2.3 |
Service account key not rotated
Category name in the API: |
Finding description: A service account key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets |
Evaluates the key creation timestamp captured in the
|
CIS GCP Foundation 1.0: 1.6 CIS GCP Foundation 1.1: 1.7 CIS GCP Foundation 1.2: 1.7 CIS GCP Foundation 1.3: 1.7 CIS GCP Foundation 2.0: 1.7 |
User managed service account key
Category name in the API: |
Finding description: A user manages a service account key. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 1.3 CIS GCP Foundation 1.1: 1.4 CIS GCP Foundation 1.2: 1.4 CIS GCP Foundation 1.3: 1.4 CIS GCP Foundation 2.0: 1.4 |
KMS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud KMS
configurations, and belong to the KMS_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
KMS key not rotated
Category name in the API: |
Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. Pricing tier: Premium
Supported assets |
Checks resource metadata for the existence of
|
CIS GCP Foundation 1.0: 1.8 CIS GCP Foundation 1.1: 1.10 CIS GCP Foundation 1.2: 1.10 CIS GCP Foundation 1.3: 1.10 CIS GCP Foundation 2.0: 1.10 PCI-DSS v3.2.1: 3.5 NIST 800-53: SC-12 ISO-27001: A.10.1.2 |
KMS project has owner
Category name in the API: |
Finding description: A user has Owner permissions on a project that has cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in project
metadata for principals assigned
|
CIS GCP Foundation 1.1: 1.11 CIS GCP Foundation 1.2: 1.11 CIS GCP Foundation 1.3: 1.11 CIS GCP Foundation 2.0: 1.11 PCI-DSS v3.2.1: 3.5 NIST 800-53: AC-6, SC-12 ISO-27001: A.9.2.3, A.10.1.2 |
KMS public key
Category name in the API: |
Finding description: A Cloud KMS cryptographic key is publicly accessible. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for the principals
|
CIS GCP Foundation 1.1: 1.9 CIS GCP Foundation 1.2: 1.9 CIS GCP Foundation 1.3: 1.9 CIS GCP Foundation 2.0: 1.9 |
Too many KMS users
Category name in the API: |
Finding description: There are more than three users of cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks IAM allow policies for key rings,
projects, and organizations, and retrieves principals with
roles that allow them to encrypt, decrypt or sign data using
Cloud KMS keys: roles/owner ,
roles/cloudkms.cryptoKeyEncrypterDecrypter ,
roles/cloudkms.cryptoKeyEncrypter ,
roles/cloudkms.cryptoKeyDecrypter ,
roles/cloudkms.signer , and
roles/cloudkms.signerVerifier .
|
PCI-DSS v3.2.1: 3.5.2 ISO-27001: A.9.2.3 |
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Audit logging disabled
Category name in the API: |
Finding description: Audit logging has been disabled for this resource. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for the existence of an
|
CIS GCP Foundation 1.0: 2.1 CIS GCP Foundation 1.1: 2.1 CIS GCP Foundation 1.2: 2.1 CIS GCP Foundation 1.3: 2.1 CIS GCP Foundation 2.0: 2.1 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: AC-2, AU-2 ISO-27001: A.12.4.1, A.16.1.7 |
Bucket logging disabled
Category name in the API: |
Finding description: There is a storage bucket without logging enabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 5.3 |
Locked retention policy not set
Category name in the API: |
Finding description: A locked retention policy is not set for logs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 2.3 CIS GCP Foundation 1.2: 2.3 CIS GCP Foundation 1.3: 2.3 CIS GCP Foundation 2.0: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3 |
Log not exported
Category name in the API: |
Finding description: There is a resource that doesn't have an appropriate log sink configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets
|
Retrieves a
|
CIS GCP Foundation 1.0: 2.2 CIS GCP Foundation 1.1: 2.2 CIS GCP Foundation 1.2: 2.2 CIS GCP Foundation 1.3: 2.2 CIS GCP Foundation 2.0: 2.2 ISO-27001: A.18.1.3 |
Object versioning disabled
Category name in the API: |
Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3 |
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER
type. All Monitoring detector finding
properties include:
-
The
RecommendedLogFilter
to use in creating the log metrics. -
The
QualifiedLogMetricNames
that cover the conditions listed in the recommended log filter. -
The
AlertPolicyFailureReasons
that indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Audit config not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:* ,
and if resource.type is specified, that the value is global .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.5 CIS GCP Foundation 1.1: 2.5 CIS GCP Foundation 1.2: 2.5 CIS GCP Foundation 1.3: 2.5 CIS GCP Foundation 2.0: 2.5 |
Bucket IAM not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gcs_bucket AND
protoPayload.methodName="storage.setIamPermissions" .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.10 CIS GCP Foundation 1.1: 2.10 CIS GCP Foundation 1.2: 2.10 CIS GCP Foundation 1.3: 2.10 CIS GCP Foundation 2.0: 2.10 |
Custom role not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="iam_role" AND
(protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.6 CIS GCP Foundation 1.1: 2.6 CIS GCP Foundation 1.2: 2.6 CIS GCP Foundation 1.3: 2.6 CIS GCP Foundation 2.0: 2.6 |
Firewall not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.delete") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.7 CIS GCP Foundation 1.1: 2.7 CIS GCP Foundation 1.2: 2.7 CIS GCP Foundation 1.3: 2.7 CIS GCP Foundation 2.0: 2.7 |
Network not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor VPC network changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.9 CIS GCP Foundation 1.1: 2.9 CIS GCP Foundation 1.2: 2.9 CIS GCP Foundation 1.3: 2.9 CIS GCP Foundation 2.0: 2.9 |
Owner not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee) OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") ,
and if resource.type is specified, that the value is global .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.4 CIS GCP Foundation 1.1: 2.4 CIS GCP Foundation 1.2: 2.4 CIS GCP Foundation 1.3: 2.4 CIS GCP Foundation 2.0: 2.4 |
Route not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.8 CIS GCP Foundation 1.1: 2.8 CIS GCP Foundation 1.2: 2.8 CIS GCP Foundation 1.3: 2.8 CIS GCP Foundation 2.0: 2.8 |
SQL instance not monitored
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="cloudsql.instances.update"
OR protoPayload.methodName="cloudsql.instances.create"
OR protoPayload.methodName="cloudsql.instances.delete" ,
and if resource.type is specified, that the value is global .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.11 CIS GCP Foundation 1.1: 2.11 CIS GCP Foundation 1.2: 2.11 CIS GCP Foundation 1.3: 2.11 CIS GCP Foundation 2.0: 2.11 |
Multi-factor authentication findings
The MFA_SCANNER
detector identifies vulnerabilities related to multi-factor
authentication for users.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
MFA not enforced
Category name in the API: |
There are users who aren't using 2-Step Verification. Google Workspace lets you specify an enrollment grace period for new users during which they must enroll in 2-Step Verification. This detector does create findings for users during the enrollment grace period. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets |
Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.
|
CIS GCP Foundation 1.0: 1.2 CIS GCP Foundation 1.1: 1.2 CIS GCP Foundation 1.2: 1.2 CIS GCP Foundation 1.3: 1.2 CIS GCP Foundation 2.0: 1.2 PCI-DSS v3.2.1: 8.3 NIST 800-53: IA-2 ISO-27001: A.9.4.2 |
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Default network
Category name in the API: |
Finding description: The default network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.1 CIS GCP Foundation 1.1: 3.1 CIS GCP Foundation 1.2: 3.1 CIS GCP Foundation 1.3: 3.1 CIS GCP Foundation 2.0: 3.1 |
DNS logging disabled
Category name in the API: |
Finding description: DNS logging on a VPC network is not enabled. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks all
|
CIS GCP Foundation 1.2: 2.12 CIS GCP Foundation 1.3: 2.12 CIS GCP Foundation 2.0: 2.12 |
Legacy network
Category name in the API: |
Finding description: A legacy network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks network metadata for existence of the
|
CIS GCP Foundation 1.0: 3.2 CIS GCP Foundation 1.1: 3.2 CIS GCP Foundation 1.2: 3.2 CIS GCP Foundation 1.3: 3.2 CIS GCP Foundation 2.0: 3.2 |
Load balancer logging disabled
Category name in the API: |
Finding description: Logging is disabled for the load balancer. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 2.0: 2.16 |
Organization Policy vulnerability findings
Vulnerabilities of this detector type all relate to configurations of
Organization Policy
constraints, and belong to the ORG_POLICY
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Org policy Confidential VM policy
Category name in the API: |
Finding description:
A Compute Engine resource is out of compliance with
the
constraints/compute.restrictNonConfidentialComputing
organization policy. For more information about this org
policy constraint, see
Enforcing organization policy
constraints in Confidential VM.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks whether the
|
|
Org policy location restriction
Category name in the API: |
Finding description:
A Compute Engine resource is out of compliance with
the constraints/gcp.resourceLocations
constraint. For more information about this org policy
constraint, see Enforcing
organization policy constraints.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets |
Checks the
|
|
Supported assets for ORG_POLICY_LOCATION_RESTRICTION
Compute Engine
GKE
Cloud Storage
Cloud KMS
Dataproc
BigQuery
Dataflow
Cloud SQL
Cloud Composer
Logging
Pub/Sub
Vertex AI
Artifact Registry 1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed. 2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys. 3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data. |
Pub/Sub vulnerability findings
Vulnerabilities of this detector type all relate to Pub/Sub
configurations, and belong to the PUBSUB_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Pubsub CMEK disabled
Category name in the API: |
Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
SQL vulnerability findings
Vulnerabilities of this detector type all relate to Cloud SQL
configurations, and belong to the SQL_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Auto backup disabled
Category name in the API: |
Finding description: A Cloud SQL database doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 6.7 CIS GCP Foundation 1.2: 6.7 CIS GCP Foundation 1.3: 6.7 CIS GCP Foundation 2.0: 6.7 NIST 800-53: CP-9 ISO-27001: A.12.3.1 |
Public SQL instance
Category name in the API: |
Finding description: A Cloud SQL database instance accepts connections from all IP addresses. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.2 CIS GCP Foundation 1.1: 6.5 CIS GCP Foundation 1.2: 6.5 CIS GCP Foundation 1.3: 6.5 CIS GCP Foundation 2.0: 6.5 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: CA-3, SC-7 ISO-27001: A.8.2.3, A.13.1.3, A.14.1.3 |
SSL not enforced
Category name in the API: |
Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.1 CIS GCP Foundation 1.1: 6.4 CIS GCP Foundation 1.2: 6.4 CIS GCP Foundation 1.3: 6.4 CIS GCP Foundation 2.0: 6.4 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.8.2.3, A.13.2.1, A.14.1.3 |
SQL CMEK disabled
Category name in the API: |
Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
SQL contained database authentication
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.3.2 CIS GCP Foundation 1.2: 6.3.7 CIS GCP Foundation 1.3: 6.3.7 CIS GCP Foundation 2.0: 6.3.7 |
SQL cross DB ownership chaining
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.3.1 CIS GCP Foundation 1.2: 6.3.2 CIS GCP Foundation 1.3: 6.3.2 CIS GCP Foundation 2.0: 6.3.2 |
SQL external scripts enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.1 CIS GCP Foundation 1.3: 6.3.1 CIS GCP Foundation 2.0: 6.3.1 |
SQL local infile
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.1.2 CIS GCP Foundation 1.2: 6.1.3 CIS GCP Foundation 1.3: 6.1.3 CIS GCP Foundation 2.0: 6.1.3 |
SQL log checkpoints disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.1 CIS GCP Foundation 1.2: 6.2.1 |
SQL log connections disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.2 CIS GCP Foundation 1.2: 6.2.3 CIS GCP Foundation 1.3: 6.2.2 CIS GCP Foundation 2.0: 6.2.2 |
SQL log disconnections disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.3 CIS GCP Foundation 1.2: 6.2.4 CIS GCP Foundation 1.3: 6.2.3 CIS GCP Foundation 2.0: 6.2.3 |
SQL log duration disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.2.5 |
SQL log error verbosity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.2 CIS GCP Foundation 1.3: 6.2.1 CIS GCP Foundation 2.0: 6.2.1 |
SQL log lock waits disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.4 CIS GCP Foundation 1.2: 6.2.6 |
SQL log min duration statement enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.7 CIS GCP Foundation 1.2: 6.2.16 CIS GCP Foundation 1.3: 6.2.8 CIS GCP Foundation 2.0: 6.2.7 |
SQL log min error statement
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 6.2.5 |
SQL log min error statement severity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.2: 6.2.14 CIS GCP Foundation 1.3: 6.2.7 CIS GCP Foundation 2.0: 6.2.6 |
SQL log min messages
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
To ensure adequate coverage of message types in the logs, issues a finding if the
|
CIS GCP Foundation 1.2: 6.2.13 CIS GCP Foundation 1.3: 6.2.6 CIS GCP Foundation 2.0: 6.2.5 |
SQL log executor stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.11 |
SQL log hostname enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.8 |
SQL log parser stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.9 |
SQL log planner stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.10 |
SQL log statement
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.7 CIS GCP Foundation 1.3: 6.2.4 CIS GCP Foundation 2.0: 6.2.4 |
SQL log statement stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.12 |
SQL log temp files
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.6 CIS GCP Foundation 1.2: 6.2.15 |
SQL no root password
Category name in the API: |
Finding description: A Cloud SQL database that has a public IP address doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.3 CIS GCP Foundation 1.1: 6.1.1 CIS GCP Foundation 1.2: 6.1.1 CIS GCP Foundation 1.3: 6.1.1 CIS GCP Foundation 2.0: 6.1.1 PCI-DSS v3.2.1: 2.1 NIST 800-53: AC-3 ISO-27001: A.8.2.3, A.9.4.2 |
SQL public IP
Category name in the API: |
Finding description: A Cloud SQL database has a public IP address. Pricing tier: Premium
Supported assets |
Checks whether the IP address type of an
Cloud SQL database is set to
|
CIS GCP Foundation 1.1: 6.6 CIS GCP Foundation 1.2: 6.6 CIS GCP Foundation 1.3: 6.6 CIS GCP Foundation 2.0: 6.6, 6.2.9 |
SQL remote access enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.5 CIS GCP Foundation 1.3: 6.3.5 CIS GCP Foundation 2.0: 6.3.5 |
SQL skip show database disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.1.2 CIS GCP Foundation 1.3: 6.1.2 CIS GCP Foundation 2.0: 6.1.2 |
SQL trace flag 3625
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.6 CIS GCP Foundation 2.0: 6.3.6 |
SQL user connections configured
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.3 CIS GCP Foundation 1.3: 6.3.3 CIS GCP Foundation 2.0: 6.3.3 |
SQL user options configured
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.4 CIS GCP Foundation 1.3: 6.3.4 CIS GCP Foundation 2.0: 6.3.4 |
SQL weak root password
Category name in the API: |
Finding description: A Cloud SQL database that has a public IP address also has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Compares the password for the root account of your Cloud SQL database to a list of common passwords.
|
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNER
typ