Vulnerability findings

Rapid Vulnerability Detection, Security Health Analytics, and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.

Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.

Detectors and compliance

Most of Security Command Center's detectors are mapped to one or more of the following compliance standards:

Center for Information Security (CIS) Google Cloud Computing Foundations Benchmark v1.3.0, v1.2.0, v1.1.0, and v1.0.0
Payment Card Industry Data Security Standard 3.2.1
National Institute of Standards and Technology 800-53
International Organization for Standardization 27001
Open Web Application Security Project (OWASP) Top Ten

CIS reviewed and certified the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center frequently adds support for new benchmark versions and standards. Older versions of the CIS Benchmark remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark available.

For instructions on viewing and exporting compliance reports, see the Compliance section in Using Security Command Center in the Google Cloud console.

Finding deactivation after remediation

After you remediate a vulnerability or misconfiguration finding, the Security Command Center service that detected the finding automatically sets the state of the finding to INACTIVE the next time the detection service scans for the finding. How long Security Command Center takes to set a remediated finding to INACTIVE depends on the schedule of the scan that detects the finding.

The Security Command Center services also set the state of a vulnerability or misconfiguration finding to INACTIVE when a scan detects that the resource that is affected by the finding is deleted.

For more information about scan intervals, see the following topics:

Security Health Analytics findings

Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.

For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.

The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes by using the Security Command Center Vulnerabilities page in the Google Cloud console.

For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.

API key vulnerability findings

The API_KEY_SCANNER detector identifies vulnerabilities related to API keys used in your cloud deployment.

**Table 1.** API key scanner
Detector	Summary	Asset scan settings	Compliance standards
`API key APIs unrestricted` Category name in the API: `API_KEY_APIS_UNRESTRICTED`	Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Retrieves the `restrictions` property of all API keys in a project, checking if any is set to `cloudapis.googleapis.com`. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.12 CIS GCP Foundation 1.1: 1.14 CIS GCP Foundation 1.2: 1.14 CIS GCP Foundation 1.3: 1.14
`API key apps unrestricted` Category name in the API: `API_KEY_APPS_UNRESTRICTED`	Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Retrieves the `restrictions` property of all API keys in a project, checking whether `browserKeyRestrictions`, `serverKeyRestrictions`, `androidKeyRestrictions`, or `iosKeyRestrictions` is set. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.11 CIS GCP Foundation 1.1: 1.13 CIS GCP Foundation 1.2: 1.13 CIS GCP Foundation 1.3: 1.13
`API key exists` Category name in the API: `API_KEY_EXISTS`	Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Retrieves all API keys owned by a project. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.10 CIS GCP Foundation 1.1: 1.12 CIS GCP Foundation 1.2: 1.12 CIS GCP Foundation 1.3: 1.12
`API key not rotated` Category name in the API: `API_KEY_NOT_ROTATED`	Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Retrieves the timestamp contained in the `createTime` property of all API keys, checking whether 90 days have passed. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.13 CIS GCP Foundation 1.1: 1.15 CIS GCP Foundation 1.2: 1.15 CIS GCP Foundation 1.3: 1.15

Cloud Asset Inventory vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Asset Inventory configurations and belong to the CLOUD_ASSET_SCANNER type.

**Table 2.** Cloud Asset Inventory scanner
Detector	Summary	Asset scan settings	Compliance standards
`Cloud Asset API disabled` Category name in the API: `CLOUD_ASSET_API_DISABLED`	Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets pubsub.googleapis.com/Project Fix this finding	Checks if the Cloud Asset Inventory service is enabled. Real-time scans: Yes	CIS GCP Foundation 1.3: 2.13

Compute image vulnerability findings

The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to Google Cloud image configurations.

**Table 3.** Compute image scanner
Detector	Summary	Asset scan settings	Compliance standards
`Public Compute image` Category name in the API: `PUBLIC_COMPUTE_IMAGE`	Finding description: A Compute Engine image is publicly accessible. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Image Fix this finding	Checks the IAM allow policy in resource metadata for the principals `allUsers` or `allAuthenticatedUsers`, which grant public access. Real-time scans: Yes

Compute instance vulnerability findings

The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to Compute Engine instance configurations.

COMPUTE_INSTANCE_SCANNER detectors don't report findings on Compute Engine instances created by GKE. Such instances have names that start with "gke-", which users cannot edit. To secure these instances, refer to the Container vulnerability findings section.

**Table 4.** Compute instance scanner
Detector	Summary	Asset scan settings	Compliance standards
`Confidential Computing disabled` Category name in the API: `CONFIDENTIAL_COMPUTING_DISABLED`	Finding description: Confidential Computing is disabled on a Compute Engine instance. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks the `confidentialInstanceConfig` property of instance metadata for the key-value pair `"enableConfidentialCompute":true`. Assets excluded from scans: GKE instances, Serverless VPC Access, Compute Engine instances that are not of type N2D. Real-time scans: Yes	CIS GCP Foundation 1.2: 4.11
`Compute project wide SSH keys allowed` Category name in the API: `COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED`	Finding description: Project-wide SSH keys are used, allowing login to all instances in the project. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks the `metadata.items[]` object in instance metadata for the key-value pair `"key": "block-project-ssh-keys", "value": TRUE`. Assets excluded from scans: GKE instances, Dataflow job, Windows instance Additional IAM permissions: `roles/compute.Viewer` Additional inputs: Reads metadata from Compute Engine Real-time scans: No	CIS GCP Foundation 1.0: 4.2 CIS GCP Foundation 1.1: 4.3 CIS GCP Foundation 1.2: 4.3 CIS GCP Foundation 1.3: 4.3
`Compute Secure Boot disabled` Category name in the API: `COMPUTE_SECURE_BOOT_DISABLED`	Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks the `shieldedInstanceConfig` property on Compute Engine instances to determine if `enableIntegrityMonitoring`, `enableSecureBoot`, `enableVtpm` are all set to `true`. The fields indicate whether attached disks are compatible with Secure Boot and if Shielded VM is turned on. Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS), Serverless VPC Access Real-time scans: Yes
`Compute serial ports enabled` Category name in the API: `COMPUTE_SERIAL_PORTS_ENABLED`	Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks the `metadata.items[]` object in instance metadata for the key-value pair `"key": "serial-port-enable", "value": TRUE`. Assets excluded from scans: GKE instances Additional IAM permissions: `roles/compute.Viewer` Additional inputs: Reads metadata from Compute Engine Real-time scans: Yes	CIS GCP Foundation 1.0: 4.4 CIS GCP Foundation 1.1: 4.5 CIS GCP Foundation 1.2: 4.5 CIS GCP Foundation 1.3: 4.5
`Default service account used` Category name in the API: `DEFAULT_SERVICE_ACCOUNT_USED`	Finding description: An instance is configured to use the default service account. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks the `serviceAccounts` property in instance metadata for any service account email addresses with the prefix `PROJECT_NUMBER-compute@developer.gserviceaccount.com`, indicating the Google-created default service account. Assets excluded from scans: GKE instances, Dataflow jobs Real-time scans: Yes	CIS GCP Foundation 1.1: 4.1 CIS GCP Foundation 1.2: 4.1 CIS GCP Foundation 1.3: 4.1
`Disk CMEK disabled` Category name in the API: `DISK_CMEK_DISABLED`	Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets compute.googleapis.com/Disk Fix this finding	Checks the `kmsKeyName` field in the `diskEncryptionKey` object, in disk metadata, for the resource name of your CMEK. Real-time scans: Yes
`Disk CSEK disabled` Category name in the API: `DISK_CSEK_DISABLED`	Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. Pricing tier: Premium Supported assets compute.googleapis.com/Disk Fix this finding	Checks the `kmsKeyName` field in the `diskEncryptionKey` object for the resource name of your CSEK. Assets excluded from scans: Compute Engine disks without the enforce_customer_supplied_disk_encryption_keys security mark set to `true` Additional IAM permissions: `roles/compute.Viewer` Additional inputs: Reads metadata from Compute Engine Real-time scans: Yes	CIS GCP Foundation 1.0: 4.6 CIS GCP Foundation 1.1: 4.7 CIS GCP Foundation 1.2: 4.7 CIS GCP Foundation 1.3: 4.7
`Full API access` Category name in the API: `FULL_API_ACCESS`	Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Retrieves the `scopes` field in the `serviceAccounts` property to check whether a default service account is used and if it is assigned the `cloud-platform` scope. Assets excluded from scans: GKE instances, Dataflow jobs Real-time scans: Yes	CIS GCP Foundation 1.0: 4.1 CIS GCP Foundation 1.1: 4.2 CIS GCP Foundation 1.2: 4.2 CIS GCP Foundation 1.3: 4.2 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3
`HTTP load balancer` Category name in the API: `HTTP_LOAD_BALANCER`	Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/TargetHttpProxy Fix this finding	Determines if the `selfLink` property of the `targetHttpProxy` resource matches the `target` attribute in the forwarding rule, and if the forwarding rule contains a `loadBalancingScheme` field set to `External`. Additional IAM permissions: `roles/compute.Viewer` Additional inputs: Reads forwarding rules for a target HTTP proxy from Compute Engine, checking for external rules Real-time scans: Yes	PCI-DSS v3.2.1: 2.3
`IP forwarding enabled` Category name in the API: `IP_FORWARDING_ENABLED`	Finding description: IP forwarding is enabled on instances. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks whether the `canIpForward` property of the instance is set to `true`. Assets excluded from scans: GKE instances, Serverless VPC Access Real-time scans: Yes	CIS GCP Foundation 1.0: 4.5 CIS GCP Foundation 1.1: 4.6 CIS GCP Foundation 1.2: 4.6
`OS login disabled` Category name in the API: `OS_LOGIN_DISABLED`	Finding description: OS Login is disabled on this instance. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/Project Fix this finding	Checks the `commonInstanceMetadata.items[]` object in project metadata for the key-value pair, `"key"`: `"enable-oslogin"`, `"value"`: `TRUE`. The detector also checks all instances in a Compute Engine project to determine whether OS Login is disabled for individual instances. Assets excluded from scans: GKE instances Additional IAM permissions: `roles/compute.Viewer` Additional inputs: Reads metadata from Compute Engine. The detector also examines Compute Engine instances in the project Real-time scans: No	CIS GCP Foundation 1.0: 4.3 CIS GCP Foundation 1.1: 4.4 CIS GCP Foundation 1.2: 4.4 CIS GCP Foundation 1.3: 4.4
`Public IP address` Category name in the API: `PUBLIC_IP_ADDRESS`	Finding description: An instance has a public IP address. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Instance Fix this finding	Checks whether the `networkInterfaces` property contains an `accessConfigs` field, indicating it is configured to use a public IP address. Assets excluded from scans: GKE instances Real-time scans: Yes	CIS GCP Foundation 1.1: 4.9 CIS GCP Foundation 1.2: 4.9 CIS GCP Foundation 1.3: 4.9 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: CA-3, SC-7
`Shielded VM disabled` Category name in the API: `SHIELDED_VM_DISABLED`	Finding description: Shielded VM is disabled on this instance. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks the `shieldedInstanceConfig` property in Compute Engine instances to determine if `enableIntegrityMonitoring`, `enableSecureBoot`, `enableVtpm` fields are all set to `true`. The fields indicate whether attached disks are compatible with Secure Boot and if Shielded VM is turned on. Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS, Serverless VPC Access Real-time scans: Yes	CIS GCP Foundation 1.1: 4.8 CIS GCP Foundation 1.2: 4.8 CIS GCP Foundation 1.3: 4.8
`Weak SSL policy` Category name in the API: `WEAK_SSL_POLICY`	Finding description: An instance has a weak SSL policy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/TargetHttpsProxy compute.googleapis.com/TargetSslProxy Fix this finding	Checks whether `sslPolicy` in asset metadata is empty or is using the Google Cloud default policy and, for the attached `sslPolicies` resource, whether `profile` is set to `Restricted` or `Modern`, `minTlsVersion` is set to `TLS 1.2`, and `customFeatures` is empty or does not contain the following ciphers: `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`. Additional IAM permissions: `roles/compute.Viewer` Additional inputs: Reads SSL policies for target proxies storage, checking for weak policies Real-time scans: Yes, but only when the TargetHttpsProxy of the TargetSslProxy is updated, not when the SSL policy gets updated	CIS GCP Foundation 1.1: 3.9 CIS GCP Foundation 1.2: 3.9 CIS GCP Foundation 1.3: 3.9 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.14.1.3

Container vulnerability findings

These finding types all relate to GKE container configurations, and belong to the CONTAINER_SCANNER detector type.

**Table 5.** Container scanner
Detector	Summary	Asset scan settings	Compliance standards
`Alpha cluster enabled` Category name in the API: `ALPHA_CLUSTER_ENABLED`	Finding description: Alpha cluster features are enabled for a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `enableKubernetesAlpha` property of a cluster is set to `true`. Real-time scans: Yes	CIS GKE 1.0: 6.10.2
`Auto repair disabled` Category name in the API: `AUTO_REPAIR_DISABLED`	Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `management` property of a node pool for the key-value pair, `"key":` `"autoRepair"`, `"value":` `true`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.7 CIS GKE 1.0: 6.5.2 PCI-DSS v3.2.1: 2.2
`Auto upgrade disabled` Category name in the API: `AUTO_UPGRADE_DISABLED`	Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `management` property of a node pool for the key-value pair, `"key":` `"autoUpgrade"`, `"value":` `true`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.8 CIS GKE 1.0: 6.5.3 PCI-DSS v3.2.1: 2.2
`Binary authorization disabled` Category name in the API: `BINARY_AUTHORIZATION_DISABLED`	Finding description: Binary Authorization is disabled on a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `binaryAuthorization` property contains the key-value pair, `"enabled": true`, and `defaultAdmissionRule` contains the key-value pair `evaluationMode: ALWAYS_ALLOW`. Real-time scans: Yes	CIS GKE 1.0: 6.10.5
`Cluster logging disabled` Category name in the API: `CLUSTER_LOGGING_DISABLED`	Finding description: Logging isn't enabled for a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `loggingService` property of a cluster contains the location Cloud Logging should use to write logs. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.7.1 PCI-DSS v3.2.1: 10.2.2, 10.2.7
`Cluster monitoring disabled` Category name in the API: `CLUSTER_MONITORING_DISABLED`	Finding description: Monitoring is disabled on GKE clusters. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `monitoringService` property of a cluster contains the location Cloud Monitoring should use to write metrics. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.2 CIS GKE 1.0: 6.7.1 PCI-DSS v3.2.1: 10.1, 10.2
`Cluster private Google access disabled` Category name in the API: `CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED`	Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `privateIpGoogleAccess` property of a subnetwork is set to `false`. Additional inputs: Reads subnetworks from storage, filing findings only for clusters with subnetworks Real-time scans: Yes, but only if cluster is updated, not for subnetwork updates	CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3
`Cluster secrets encryption disabled` Category name in the API: `CLUSTER_SECRETS_ENCRYPTION_DISABLED`	Finding description: Application-layer secrets encryption is disabled on a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `keyName` property of the `databaseEncryption` object for the key-value pair `"state": ENCRYPTED`. Real-time scans: Yes	CIS GKE 1.0: 6.3.1
`Cluster shielded nodes disabled` Category name in the API: `CLUSTER_SHIELDED_NODES_DISABLED`	Finding description: Shielded GKE nodes are not enabled for a cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `shieldedNodes` property for the key-value pair `"enabled": true`. Real-time scans: Yes	CIS GKE 1.0: 6.5.5
`COS not used` Category name in the API: `COS_NOT_USED`	Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `config` property of a node pool for the key-value pair, `"imageType":` `"COS"`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.9 CIS GKE 1.0: 6.5.1 PCI-DSS v3.2.1: 2.2
`Integrity monitoring disabled` Category name in the API: `INTEGRITY_MONITORING_DISABLED`	Finding description: Integrity monitoring is disabled for a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `shieldedInstanceConfig` property of the `nodeConfig` object for the key-value pair `"enableIntegrityMonitoring": true`. Real-time scans: Yes	CIS GKE 1.0: 6.5.6
`Intranode visibility disabled` Category name in the API: `INTRANODE_VISIBILITY_DISABLED`	Finding description: Intranode visibility is disabled for a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `networkConfig` property for the key-value pair `"enableIntraNodeVisibility": true`. Real-time scans: Yes	CIS GKE 1.0: 6.6.1
`IP alias disabled` Category name in the API: `IP_ALIAS_DISABLED`	Finding description: A GKE cluster was created with alias IP ranges disabled. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `useIPAliases` field of the `ipAllocationPolicy` in a cluster is set to `false`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.2 PCI-DSS v3.2.1: 1.3.4, 1.3.7
`Legacy authorization enabled` Category name in the API: `LEGACY_AUTHORIZATION_ENABLED`	Finding description: Legacy Authorization is enabled on GKE clusters. Pricing tier: Premium or Standard Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `legacyAbac` property of a cluster for the key-value pair, `"enabled"`: `true`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.3 CIS GKE 1.0: 6.8.3 PCI-DSS v3.2.1: 4.1
`Legacy metadata enabled` Category name in the API: `LEGACY_METADATA_ENABLED`	Finding description: Legacy metadata is enabled on GKE clusters. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `config` property of a node pool for the key-value pair, `"disable-legacy-endpoints"`: `"false"`. Real-time scans: Yes	CIS GKE 1.0: 6.4.1
`Master authorized networks disabled` Category name in the API: `MASTER_AUTHORIZED_NETWORKS_DISABLED`	Finding description: Control Plane Authorized Networks is not enabled on GKE clusters. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `masterAuthorizedNetworksConfig` property of a cluster for the key-value pair, `"enabled"`: `false`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.4 CIS GKE 1.0: 6.6.3 PCI-DSS v3.2.1: 1.2.1, 1.3.2
`Network policy disabled` Category name in the API: `NETWORK_POLICY_DISABLED`	Finding description: Network policy is disabled on GKE clusters. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `networkPolicy` field of the `addonsConfig` property for the key-value pair, `"disabled"`: `true`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.7 PCI-DSS v3.2.1: 1.3 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Nodepool boot CMEK disabled` Category name in the API: `NODEPOOL_BOOT_CMEK_DISABLED`	Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `bootDiskKmsKey` property of node pools for the resource name of your CMEK. Real-time scans: Yes
`Nodepool secure boot disabled` Category name in the API: `NODEPOOL_SECURE_BOOT_DISABLED`	Finding description: Secure Boot is disabled for a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `shieldedInstanceConfig` property of the `nodeConfig` object for the key-value pair `"enableSecureBoot": true`. Real-time scans: Yes	CIS GKE 1.0: 6.5.7
`Over privileged account` Category name in the API: `OVER_PRIVILEGED_ACCOUNT`	Finding description: A service account has overly broad project access in a cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Evaluates the `config` property of a node pool to check if no service account is specified or if the default service account is used. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.2.1 PCI-DSS v3.2.1: 2.1, 7.1.2 NIST 800-53: AC-6, SC-7 ISO-27001: A.9.2.3
`Over privileged scopes` Category name in the API: `OVER_PRIVILEGED_SCOPES`	Finding description: A node service account has broad access scopes. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the access scope listed in the `config.oauthScopes` property of a node pool is a limited service account access scope: `https://www.googleapis.com/auth/devstorage.read_only`, `https://www.googleapis.com/auth/logging.write`, or `https://www.googleapis.com/auth/monitoring`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.2.1
`Pod security policy disabled` Category name in the API: `POD_SECURITY_POLICY_DISABLED`	Finding description: PodSecurityPolicy is disabled on a GKE cluster. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `podSecurityPolicyConfig` property of a cluster for the key-value pair, `"enabled"`: `false`. Additional IAM permissions: `roles/container.clusterViewer` Additional inputs: Reads cluster information from GKE, because pod security policies are a Beta feature. Kubernetes has officially deprecated PodSecurityPolicy in version 1.21. PodSecurityPolicy will be shut down in version 1.25. For information about alternatives, refer to PodSecurityPolicy deprecation. Real-time scans: No	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.10.3
`Private cluster disabled` Category name in the API: `PRIVATE_CLUSTER_DISABLED`	Finding description: A GKE cluster has a Private cluster disabled. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `enablePrivateNodes` field of the `privateClusterConfig` property is set to `false`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.5 PCI-DSS v3.2.1: 1.3.2
`Release channel disabled` Category name in the API: `RELEASE_CHANNEL_DISABLED`	Finding description: A GKE cluster is not subscribed to a release channel. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `releaseChannel` property for the key-value pair `"channel": UNSPECIFIED`. Real-time scans: Yes	CIS GKE 1.0: 6.5.4
`Web UI enabled` Category name in the API: `WEB_UI_ENABLED`	Finding description: The GKE web UI (dashboard) is enabled. Pricing tier: Premium or Standard Supported assets container.googleapis.com/Cluster Fix this finding	Checks the `kubernetesDashboard` field of the `addonsConfig` property for the key-value pair, `"disabled": false`. Real-time scans: Yes	CIS GCP Foundation 1.0: 7.6 CIS GKE 1.0: 6.10.1 PCI-DSS v3.2.1: 6.6
`Workload Identity disabled` Category name in the API: `WORKLOAD_IDENTITY_DISABLED`	Finding description: Workload Identity is disabled on a GKE cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Fix this finding	Checks whether the `workloadIdentityConfig` property of a cluster is set. The detector also checks whether the `workloadMetadataConfig` property of a node pool is set to `GKE_METADATA`. Additional IAM permissions: `roles/container.clusterViewer` Real-time scans: Yes	CIS GKE 1.0: 6.2.2

Dataproc vulnerability findings

Vulnerabilities of this detector type all relate to Dataproc and belong to the DATAPROC_SCANNER detector type.

**Table 6.** Dataproc scanner
Detector	Summary	Asset scan settings	Compliance standards
`Dataproc CMEK disabled` Category name in the API: `DATAPROC_CMEK_DISABLED`	Finding description: A Dataproc cluster was created without an encryption configuration CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. Pricing tier: Premium Supported assets dataproc.googleapis.com/Cluster Fix this finding	Checks whether the `kmsKeyName` field in the `encryptionConfiguration` property is empty. Real-time scans: Yes	CIS GCP Foundation 1.3: 1.17
`Dataproc image outdated` Category name in the API: `DATAPROC_IMAGE_OUTDATED`	Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). Pricing tier: Premium or Standard Supported assets dataproc.googleapis.com/Cluster Fix this finding	Checks whether the `softwareConfig.imageVersion` field in the `config` property of a `Cluster` is earlier than 1.3.95 or is a subminor image version earlier than 1.4.77, 1.5.53, or 2.0.27. Real-time scans: Yes

Dataset vulnerability findings

Vulnerabilities of this detector type all relate to BigQuery Dataset configurations, and belong to the DATASET_SCANNER detector type.

**Table 7.** Dataset scanner
Detector	Summary	Asset scan settings	Compliance standards
`BigQuery table CMEK disabled` Category name in the API: `BIGQUERY_TABLE_CMEK_DISABLED`	Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets bigquery.googleapis.com/Table Fix this finding	Checks whether the `kmsKeyName` field in the `encryptionConfiguration` property is empty. Real-time scans: Yes	CIS GCP Foundation 1.2: 7.2 CIS GCP Foundation 1.3: 7.2
`Dataset CMEK disabled` Category name in the API: `DATASET_CMEK_DISABLED`	Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets bigquery.googleapis.com/Dataset Fix this finding	Checks whether the `kmsKeyName` field in the `defaultEncryptionConfiguration` property is empty. Real-time scans: No	CIS GCP Foundation 1.2: 7.3 CIS GCP Foundation 1.3: 7.3
`Public dataset` Category name in the API: `PUBLIC_DATASET`	Finding description: A dataset is configured to be open to public access. Pricing tier: Premium or Standard Supported assets bigquery.googleapis.com/Dataset Fix this finding	Checks the IAM allow policy in resource metadata for the principals `allUsers` or `allAuthenticatedUsers`, which grant public access. Real-time scans: Yes	CIS GCP Foundation 1.1: 7.1 CIS GCP Foundation 1.2: 7.1 CIS GCP Foundation 1.3: 7.1 PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3

DNS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud DNS configurations, and belong to the DNS_SCANNER detector type.

**Table 8.** DNS scanner
Detector	Summary	Asset scan settings	Compliance standards
`DNSSEC disabled` Category name in the API: `DNSSEC_DISABLED`	Finding description: DNSSEC is disabled for Cloud DNS zones. Pricing tier: Premium Supported assets dns.googleapis.com/ManagedZone Fix this finding	Checks whether the `state` field of the `dnssecConfig` property is set to `off`. Assets excluded from scans: Cloud DNS zones that are not public Real-time scans: Yes	CIS GCP Foundation 1.0: 3.3 CIS GCP Foundation 1.1: 3.3 CIS GCP Foundation 1.2: 3.3 CIS GCP Foundation 1.3: 3.3 ISO-27001: A.8.2.3
`RSASHA1 for signing` Category name in the API: `RSASHA1_FOR_SIGNING`	Finding description: RSASHA1 is used for key signing in Cloud DNS zones. Pricing tier: Premium Supported assets dns.googleapis.com/ManagedZone Fix this finding	Checks whether the `defaultKeySpecs.algorithm` object of the `dnssecConfig` property is set to `rsasha1`. Real-time scans: Yes	CIS GCP Foundation 1.0: 3.4, 3.5 CIS GCP Foundation 1.1: 3.4, 3.5 CIS GCP Foundation 1.2: 3.4, 3.5 CIS GCP Foundation 1.3: 3.4, 3.5

Firewall vulnerability findings

Vulnerabilities of this detector type all relate to firewall configurations, and belong to the FIREWALL_SCANNER detector type.

**Table 9.** Firewall scanner
Detector	Summary	Asset scan settings	Compliance standards
`Egress deny rule not set` Category name in the API: `EGRESS_DENY_RULE_NOT_SET`	Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks whether the `destinationRanges` property in the firewall is set to `0.0.0.0/0` and the `denied` property contains the key-value pair, `"IPProtocol"`: `"all"`. Additional inputs: Reads egress firewalls for a project from storage Real-time scans: Yes, but only on project changes, not firewall rule changes	PCI-DSS v3.2.1: 7.2
`Firewall rule logging disabled` Category name in the API: `FIREWALL_RULE_LOGGING_DISABLED`	Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `logConfig` property in firewall metadata to see if it's empty or contains the key-value pair `"enable"`: `false`. Assets excluded from scans: GKE instances, firewall rules created by GKE, Serverless VPC Access Real-time scans: Yes	PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1
`Open Cassandra port` Category name in the API: `OPEN_CASSANDRA_PORT`	Finding description: A firewall is configured to have an open Cassandra port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open ciscosecure websm port` Category name in the API: `OPEN_CISCOSECURE_WEBSM_PORT`	Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocol and port: `TCP:9090`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open directory services port` Category name in the API: `OPEN_DIRECTORY_SERVICES_PORT`	Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:445` and `UDP:445`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open DNS port` Category name in the API: `OPEN_DNS_PORT`	Finding description: A firewall is configured to have an open DNS port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:53` and `UDP:53`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open elasticsearch port` Category name in the API: `OPEN_ELASTICSEARCH_PORT`	Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:9200, 9300`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open firewall` Category name in the API: `OPEN_FIREWALL`	Finding description: A firewall is configured to be open to public access. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `sourceRanges` and `allowed` properties for one of two configurations: The `sourceRanges` property contains `0.0.0.0/0` and the `allowed` property contains a combination of rules that includes any `protocol` or `protocol:port`, except the following: icmp tcp:22 tcp:443 tcp:3389 udp:3389 sctp:22 The `sourceRanges` property contains a combination of IP ranges that includes any non-private IP address and the `allowed` property contains a combination of rules that permit either all tcp ports or all udp ports. Assets excluded from scans: Firewall rules created by GKE Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1
`Open FTP port` Category name in the API: `OPEN_FTP_PORT`	Finding description: A firewall is configured to have an open FTP port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocol and port: `TCP:21`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open HTTP port` Category name in the API: `OPEN_HTTP_PORT`	Finding description: A firewall is configured to have an open HTTP port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:80`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open LDAP port` Category name in the API: `OPEN_LDAP_PORT`	Finding description: A firewall is configured to have an open LDAP port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:389, 636` and `UDP:389`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open Memcached port` Category name in the API: `OPEN_MEMCACHED_PORT`	Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:11211, 11214-11215` and `UDP:11211, 11214-11215`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open MongoDB port` Category name in the API: `OPEN_MONGODB_PORT`	Finding description: A firewall is configured to have an open MONGODB port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:27017-27019`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open MySQL port` Category name in the API: `OPEN_MYSQL_PORT`	Finding description: A firewall is configured to have an open MYSQL port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocol and port: `TCP:3306`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open NetBIOS port` Category name in the API: `OPEN_NETBIOS_PORT`	Finding description: A firewall is configured to have an open NETBIOS port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:137-139` and `UDP:137-139`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open OracleDB port` Category name in the API: `OPEN_ORACLEDB_PORT`	Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:1521, 2483-2484` and `UDP:2483-2484`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open pop3 port` Category name in the API: `OPEN_POP3_PORT`	Finding description: A firewall is configured to have an open POP3 port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocol and port: `TCP:110`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open PostgreSQL port` Category name in the API: `OPEN_POSTGRESQL_PORT`	Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:5432` and `UDP:5432`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open RDP port` Category name in the API: `OPEN_RDP_PORT`	Finding description: A firewall is configured to have an open RDP port that allows generic access. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Firewall Fix this finding	Checks the `allowed` property in firewall metadata for the following protocols and ports: `TCP:3389` and `UDP:3389`. Real-time scans: Yes	CIS GCP Foundation 1.0: 3.7 CIS GCP Foundation 1.1: 3.7 CIS GCP Foundation 1.2: 3.7 CIS GCP Foundation 1.3: 3.7 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open Redis port` Category name in the API: `OPEN_REDIS_PORT`	Finding description: A firewall is configured to have an open REDIS port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks whether the `allowed` property in firewall metadata contains the following protocol and port: `TCP:6379`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open SMTP port` Category name in the API: `OPEN_SMTP_PORT`	Finding description: A firewall is configured to have an open SMTP port that allows generic access. Pricing tier: Premium Supported assets compute.googleapis.com/Firewall Fix this finding	Checks whether the `allowed` property in firewall metadata contains the following protocol and port: `TCP:25`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open SSH port` Category name in the API: `OPEN_SSH_PORT`	Finding description: A firewall is configured to have an open SSH port that allows generic access. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Firewall Fix this finding	Checks whether the `allowed` property in firewall metadata contains the following protocols and ports: `TCP:22` and `SCTP:22`. Real-time scans: Yes	CIS GCP Foundation 1.0: 3.6 CIS GCP Foundation 1.1: 3.6 CIS GCP Foundation 1.2: 3.6 CIS GCP Foundation 1.3: 3.6 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1
`Open Telnet port` Category name in the API: `OPEN_TELNET_PORT`	Finding description: A firewall is configured to have an open TELNET port that allows generic access. Pricing tier: Premium or Standard Supported assets compute.googleapis.com/Firewall Fix this finding	Checks whether the `allowed` property in firewall metadata contains the following protocol and port: `TCP:23`. Real-time scans: Yes	PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1

IAM vulnerability findings

Vulnerabilities of this detector type all relate to Identity and Access Management (IAM) configuration, and belong to the IAM_SCANNER detector type.

**Table 10.** IAM Scanner
Detector	Summary	Asset scan settings	Compliance standards
`Access Transparency disabled` Category name in the API: `ACCESS_TRANSPARENCY_DISABLED`	Finding description: Google Cloud Access Transparency is disabled for your organization. Access Transparency logs when Google Cloud employees access the projects in your organization to provide support. Enable Access Transparency to log who from Google Cloud is accessing your information, when, and why. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization Fix this finding	Checks if your organization has Access Transparency enabled. Real-time scans: No	CIS GCP Foundation 1.3: 2.14
`Admin service account` Category name in the API: `ADMIN_SERVICE_ACCOUNT`	Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM allow policy in resource metadata for any user-created service accounts (indicated by the prefix *iam.gserviceaccount.com), that are assigned `roles/Owner` or `roles/Editor`, or a role ID that contains `admin`. Assets excluded from scans: Container Registry service account (containerregistry.iam.gserviceaccount.com) and Security Command Center service account (security-center-api.iam.gserviceaccount.com) Real-time scans*: Yes, unless the IAM update is done on a folder	CIS GCP Foundation 1.0: 1.4 CIS GCP Foundation 1.1: 1.5 CIS GCP Foundation 1.2: 1.5 CIS GCP Foundation 1.3: 1.5
`Essential Contacts Not Configured` Category name in the API: `ESSENTIAL_CONTACTS_NOT_CONFIGURED`	Finding description: Your organization has not designated a person or group to receive notifications from Google Cloud about important events such as attacks, vulnerabilities, and data incidents within your Google Cloud organization. We recommend that you designate as an Essential Contact one or more persons or groups in your business organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization Fix this finding	Checks that a contact is specified for the following essential contact categories: Legal Security Suspension Technical Real-time scans: No	CIS GCP Foundation 1.3: 1.16
`KMS role separation` Category name in the API: `KMS_ROLE_SEPARATION`	Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. This finding isn't available for project-level activations. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks IAM allow policies in resource metadata and retrieves principals assigned any of the following roles at the same time: `roles/cloudkms.cryptoKeyEncrypterDecrypter`, `roles/cloudkms.cryptoKeyEncrypter`, and `roles/cloudkms.cryptoKeyDecrypter`, `roles/cloudkms.signer`, `roles/cloudkms.signerVerifier`, `roles/cloudkms.publicKeyViewer`. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.9 CIS GCP Foundation 1.1: 1.11 NIST 800-53: AC-5 ISO-27001: A.9.2.3, A.10.1.2
`Non org IAM member` Category name in the API: `NON_ORG_IAM_MEMBER`	Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. Pricing tier: Premium or Standard Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Compares @gmail.com email addresses in the `user` field in IAM allow policy metadata to a list of approved identities for your organization. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.1 CIS GCP Foundation 1.1: 1.1 CIS GCP Foundation 1.2: 1.1 CIS GCP Foundation 1.3: 1.1 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-3 ISO-27001: A.9.2.3
`Open group IAM member` Category name in the API: `OPEN_GROUP_IAM_MEMBER`	Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal. Pricing tier: Premium or Standard Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM policy in resource metadata for any bindings containing a member (principal) that's prefixed with `group`. If the group is an open group, Security Health Analytics generates this finding. Additional inputs: Reads Google Groups metadata to check whether the group identified is an open group. Real-time scans: No
`Over privileged service account user` Category name in the API: `OVER_PRIVILEGED_SERVICE_ACCOUNT_USER`	Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM allow policy in resource metadata for any principals assigned `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator` at the project level. Assets excluded from scans: Cloud Build service accounts Real-time scans: Yes	CIS GCP Foundation 1.0: 1.5 CIS GCP Foundation 1.1: 1.6 CIS GCP Foundation 1.2: 1.6 CIS GCP Foundation 1.3: 1.6 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3
`Primitive roles used` Category name in the API: `PRIMITIVE_ROLES_USED`	Finding description: A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM allow policy in resource metadata for any principals assigned `roles/Owner`, `roles/Writer`, or `roles/Reader`. Real-time scans: Yes	PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3
`Redis role used on org` Category name in the API: `REDIS_ROLE_USED_ON_ORG`	Finding description: A Redis IAM role is assigned at the organization or folder level. This finding isn't available for project-level activations. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization Fix this finding	Checks the IAM allow policy in resource metadata for principals assigned `roles/redis.admin`, `roles/redis.editor`, `roles/redis.viewer` at the organization or folder level. Real-time scans: Yes	PCI-DSS v3.2.1: 7.1.2 ISO-27001: A.9.2.3
`Service account role separation` Category name in the API: `SERVICE_ACCOUNT_ROLE_SEPARATION`	Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. This finding isn't available for project-level activations. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM allow policy in resource metadata for any principals assigned both `roles/iam.serviceAccountUser` and `roles/iam.serviceAccountAdmin`. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.7 CIS GCP Foundation 1.1: 1.8 CIS GCP Foundation 1.2: 1.8 CIS GCP Foundation 1.3: 1.8 NIST 800-53: AC-5 ISO-27001: A.9.2.3
`Service account key not rotated` Category name in the API: `SERVICE_ACCOUNT_KEY_NOT_ROTATED`	Finding description: A service account key hasn't been rotated for more than 90 days. Pricing tier: Premium Supported assets iam.googleapis.com/ServiceAccountKey Fix this finding	Evaluates the key creation timestamp captured in the `validAfterTime` property in service accounts key metadata. Assets excluded from scans: Expired service account keys and keys not managed by users Real-time scans: Yes	CIS GCP Foundation 1.0: 1.6	CIS GCP Foundation 1.1: 1.7	CIS GCP Foundation 1.2: 1.7
`User managed service account key` Category name in the API: `USER_MANAGED_SERVICE_ACCOUNT_KEY`	Finding description: A user manages a service account key. Pricing tier: Premium Supported assets iam.googleapis.com/ServiceAccountKey Fix this finding	Checks whether the `keyType` property in service account key metadata is set to `User_Managed`. Real-time scans: Yes	CIS GCP Foundation 1.0: 1.3	CIS GCP Foundation 1.1: 1.4	CIS GCP Foundation 1.2: 1.4

KMS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud KMS configurations, and belong to the KMS_SCANNER detector type.

**Table 11.** KMS scanner
Detector	Summary	Asset scan settings	Compliance standards
`KMS key not rotated` Category name in the API: `KMS_KEY_NOT_ROTATED`	Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. Pricing tier: Premium Supported assets cloudkms.googleapis.com/CryptoKey Fix this finding	Checks resource metadata for the existence of `rotationPeriod` or `nextRotationTime` properties. Assets excluded from scans: Asymmetric keys and keys with disabled or destroyed primary versions Real-time scans: Yes	CIS GCP Foundation 1.0: 1.8 CIS GCP Foundation 1.1: 1.10 CIS GCP Foundation 1.2: 1.10 CIS GCP Foundation 1.3: 1.10 PCI-DSS v3.2.1: 3.5 NIST 800-53: SC-12 ISO-27001: A.10.1.2
`KMS project has owner` Category name in the API: `KMS_PROJECT_HAS_OWNER`	Finding description: A user has Owner permissions on a project that has cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM allow policy in project metadata for principals assigned `roles/Owner`. Additional inputs: Reads cryptokeys for a project from storage, filing findings only for projects with cryptokeys Real-time scans: Yes, but only on changes to IAM allow policy, not on changes to KMS keys	CIS GCP Foundation 1.1: 1.11 CIS GCP Foundation 1.2: 1.11 CIS GCP Foundation 1.3: 1.11 PCI-DSS v3.2.1: 3.5 NIST 800-53: AC-6, SC-12 ISO-27001: A.9.2.3, A.10.1.2
`KMS public key` Category name in the API: `KMS_PUBLIC_KEY`	Finding description: A Cloud KMS cryptographic key is publicly accessible. Pricing tier: Premium Supported assets cloudkms.googleapis.com/CryptoKey cloudkms.googleapis.com/KeyRing Fix this finding	Checks the IAM allow policy in resource metadata for the principals `allUsers` or `allAuthenticatedUsers`, which grant public access. Real-time scans: Yes	CIS GCP Foundation 1.1: 1.9 CIS GCP Foundation 1.2: 1.9 CIS GCP Foundation 1.3: 1.9
`Too many KMS users` Category name in the API: `TOO_MANY_KMS_USERS`	Finding description: There are more than three users of cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudkms.googleapis.com/CryptoKey Fix this finding	Checks IAM allow policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: `roles/owner`, `roles/cloudkms.cryptoKeyEncrypterDecrypter`, `roles/cloudkms.cryptoKeyEncrypter`, `roles/cloudkms.cryptoKeyDecrypter`, `roles/cloudkms.signer`, and `roles/cloudkms.signerVerifier`. Additional inputs: Reads cryptokey versions for a cryptokey from storage, filing findings only for keys with active versions. The detector also reads key ring, project, and organization IAM allow policies from storage Real-time scans: Yes	PCI-DSS v3.2.1: 3.5.2 ISO-27001: A.9.2.3

Logging vulnerability findings

Vulnerabilities of this detector type all relate to logging configurations, and belong to the LOGGING_SCANNER detector type.

**Table 12.** Logging scanner
Detector	Summary	Asset scan settings	Compliance standards
`Audit logging disabled` Category name in the API: `AUDIT_LOGGING_DISABLED`	Finding description: Audit logging has been disabled for this resource. This finding isn't available for project-level activations. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project Fix this finding	Checks the IAM allow policy in resource metadata for the existence of an `auditLogConfigs` object. Real-time scans: Yes	CIS GCP Foundation 1.0: 2.1 CIS GCP Foundation 1.1: 2.1 CIS GCP Foundation 1.2: 2.1 CIS GCP Foundation 1.3: 2.1 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: AC-2, AU-2 ISO-27001: A.12.4.1, A.16.1.7
`Bucket logging disabled` Category name in the API: `BUCKET_LOGGING_DISABLED`	Finding description: There is a storage bucket without logging enabled. Pricing tier: Premium Supported assets storage.googleapis.com/Bucket Fix this finding	Checks whether the `logBucket` field in the bucket's `logging` property is empty. Real-time scans: Yes	CIS GCP Foundation 1.0: 5.3
`Locked retention policy not set` Category name in the API: `LOCKED_RETENTION_POLICY_NOT_SET`	Finding description: A locked retention policy is not set for logs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets storage.googleapis.com/Bucket Fix this finding	Checks whether the `isLocked` field in the bucket's `retentionPolicy` property is set to `true`. Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket Real-time scans: Yes	CIS GCP Foundation 1.1: 2.3 CIS GCP Foundation 1.2: 2.3 CIS GCP Foundation 1.3: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3
`Log not exported` Category name in the API: `LOG_NOT_EXPORTED`	Finding description: There is a resource that doesn't have an appropriate log sink configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Retrieves a `logSink` object in a project, checking that the `includeChildren` field is set to `true`, the `destination` field includes the location to write logs to, and the `filter` field is populated. Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket Real-time scans: Yes, but only on project changes, not if log export is set up on folder or organization	CIS GCP Foundation 1.0: 2.2 CIS GCP Foundation 1.1: 2.2 CIS GCP Foundation 1.2: 2.2 CIS GCP Foundation 1.3: 2.2 ISO-27001: A.18.1.3
`Object versioning disabled` Category name in the API: `OBJECT_VERSIONING_DISABLED`	Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets storage.googleapis.com/Bucket Fix this finding	Checks whether the `enabled` field in the bucket's `versioning` property is set to `true`. Assets excluded from scans: Cloud Storage buckets with a locked retention policy Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket Real-time scans: Yes, but only if object versioning changes, not if log buckets are created	CIS GCP Foundation 1.0: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3

Monitoring vulnerability findings

Vulnerabilities of this detector type all relate to monitoring configurations, and belong to the MONITORING_SCANNER type. All Monitoring detector finding properties include:

The RecommendedLogFilter to use in creating the log metrics.
The QualifiedLogMetricNames that cover the conditions listed in the recommended log filter.
TheAlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.

**Table 13.** Monitoring scanner
Detector	Summary	Asset scan settings	Compliance standards
`Audit config not monitored` Category name in the API: `AUDIT_CONFIG_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:`, and if `resource.type` is specified, that the value is `global`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans*: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.5 CIS GCP Foundation 1.1: 2.5 CIS GCP Foundation 1.2: 2.5
`Bucket IAM not monitored` Category name in the API: `BUCKET_IAM_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions"`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.10 CIS GCP Foundation 1.1: 2.10 CIS GCP Foundation 1.2: 2.10 CIS GCP Foundation 1.3: 2.10
`Custom role not monitored` Category name in the API: `CUSTOM_ROLE_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `resource.type="iam_role" AND (protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.6 CIS GCP Foundation 1.1: 2.6 CIS GCP Foundation 1.2: 2.6 CIS GCP Foundation 1.3: 2.6
`Firewall not monitored` Category name in the API: `FIREWALL_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.delete")`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.7 CIS GCP Foundation 1.1: 2.7 CIS GCP Foundation 1.2: 2.7 CIS GCP Foundation 1.3: 2.7
`Network not monitored` Category name in the API: `NETWORK_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor VPC network changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `resource.type="gce_network" AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.9 CIS GCP Foundation 1.1: 2.9 CIS GCP Foundation 1.2: 2.9 CIS GCP Foundation 1.3: 2.9
`Owner not monitored` Category name in the API: `OWNER_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")`, and if `resource.type` is specified, that the value is `global`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.4 CIS GCP Foundation 1.1: 2.4 CIS GCP Foundation 1.2: 2.4 CIS GCP Foundation 1.3: 2.4
`Route not monitored` Category name in the API: `ROUTE_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert")`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.8 CIS GCP Foundation 1.1: 2.8 CIS GCP Foundation 1.2: 2.8 CIS GCP Foundation 1.3: 2.8
`SQL instance not monitored` `SQL_INSTANCE_NOT_MONITORED`	Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Fix this finding	Checks whether the `filter` property of the project's `LogsMetric` resource is set to `protoPayload.methodName="cloudsql.instances.update" OR protoPayload.methodName="cloudsql.instances.create" OR protoPayload.methodName="cloudsql.instances.delete"`, and if `resource.type` is specified, that the value is `global`. The detector also searches for a corresponding `alertPolicy` resource, checking that the `conditions` and `notificationChannels` properties are properly configured. Additional IAM permissions: `roles/monitoring.alertPolicyViewer` Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts Real-time scans: Yes, but only on project changes, not on log metrics and alert changes	CIS GCP Foundation 1.0: 2.11 CIS GCP Foundation 1.1: 2.11 CIS GCP Foundation 1.2: 2.11 CIS GCP Foundation 1.3: 2.11

Multi-factor authentication findings

The MFA_SCANNER detector identifies vulnerabilities related to multi-factor authentication for users.

**Table 14.** Multi-factor authentication scanner
Detector	Summary	Asset scan settings	Compliance standards
`MFA not enforced` Category name in the API: `MFA_NOT_ENFORCED`	There are users who aren't using 2-step verification. This finding isn't available for project-level activations. Pricing tier: Premium or Standard Supported assets cloudresourcemanager.googleapis.com/Organization Fix this finding	Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity. Assets excluded from scans: Organization units granted exceptions to the policy Additional inputs: Reads data from Google Workspace Real-time scans: No	CIS GCP Foundation 1.0: 1.2 CIS GCP Foundation 1.1: 1.2 CIS GCP Foundation 1.2: 1.2 CIS GCP Foundation 1.3: 1.2 PCI-DSS v3.2.1: 8.3 NIST 800-53: IA-2 ISO-27001: A.9.4.2

Network vulnerability findings

Vulnerabilities of this detector type all relate to an organization's network configurations, and belong to theNETWORK_SCANNERtype.

**Table 15.** Network scanner
Detector	Summary	Asset scan settings	Compliance standards
`Default network` Category name in the API: `DEFAULT_NETWORK`	Finding description: The default network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/Network Fix this finding	Checks whether the `name` property in network metadata is set to `default` Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state Real-time scans: Yes	CIS GCP Foundation 1.0: 3.1 CIS GCP Foundation 1.1: 3.1 CIS GCP Foundation 1.2: 3.1 CIS GCP Foundation 1.3: 3.1
`DNS logging disabled` Category name in the API: `DNS_LOGGING_DISABLED`	Finding description: DNS logging on a VPC network is not enabled. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/Network dns.googleapis.com/Policy Fix this finding	Checks all `policies` that are associated with a VPC network through the `networks[].networkUrl` field, and looks for at least one policy that has `enableLogging` set to `true`. Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state Real-time scans: Yes	CIS GCP Foundation 1.2: 2.12 CIS GCP Foundation 1.3: 2.12
`Legacy network` Category name in the API: `LEGACY_NETWORK`	Finding description: A legacy network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/Network Fix this finding	Checks network metadata for existence of the `IPv4Range` property. Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state Real-time scans: Yes	CIS GCP Foundation 1.0: 3.2 CIS GCP Foundation 1.1: 3.2 CIS GCP Foundation 1.2: 3.2 CIS GCP Foundation 1.3: 3.2

Organization Policy vulnerability findings

Vulnerabilities of this detector type all relate to configurations of Organization Policy constraints, and belong to the ORG_POLICY type.

**Table 16.** Org policy scanner
Detector	Summary	Asset scan settings
`Org policy Confidential VM policy` Category name in the API: `ORG_POLICY_CONFIDENTIAL_VM_POLICY`	Finding description: A Compute Engine resource is out of compliance with the `constraints/compute.restrictNonConfidentialComputing` organization policy. For more information about this org policy constraint, see Enforcing organization policy constraints in Confidential VM. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets compute.googleapis.com/Instance Fix this finding	Checks whether the `enableConfidentialCompute` property of a Compute Engine instance is set to `true`. Assets excluded from scans: GKE instances Additional IAM permissions: `permissions/orgpolicy.policy.get` Additional inputs: Reads the effective org policy from the org policy service Real-time scans: No
`Org policy location restriction` Category name in the API: `ORG_POLICY_LOCATION_RESTRICTION`	Finding description: A Compute Engine resource is out of compliance with the `constraints/gcp.resourceLocations` constraint. For more information about this org policy constraint, see Enforcing organization policy constraints. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium Supported assets See below Fix this finding	Checks the `listPolicy` property in the metadata of supported resources for a list of allowed or denied locations. Additional IAM permissions: `permissions/orgpolicy.policy.get` Additional inputs: Reads the effective org policy from the org policy service Real-time scans: No
Supported assets for ORG_POLICY_LOCATION_RESTRICTION Compute Engine compute.googleapis.com/Autoscaler compute.googleapis.com/Address compute.googleapis.com/Commitment compute.googleapis.com/Disk compute.googleapis.com/ForwardingRule compute.googleapis.com/HealthCheck compute.googleapis.com/Image compute.googleapis.com/Instance compute.googleapis.com/InstanceGroup compute.googleapis.com/InstanceGroupManager compute.googleapis.com/InterconnectAttachment compute.googleapis.com/NetworkEndpointGroup compute.googleapis.com/NodeGroup compute.googleapis.com/NodeTemplate compute.googleapis.com/PacketMirroring compute.googleapis.com/RegionBackendService compute.googleapis.com/RegionDisk compute.googleapis.com/ResourcePolicy compute.googleapis.com/Reservation compute.googleapis.com/Router compute.googleapis.com/Snapshot compute.googleapis.com/SslCertificate compute.googleapis.com/Subnetwork compute.googleapis.com/TargetHttpProxy compute.google.apis.com/TargetHttpsProxy compute.googleapis.com/TargetInstance compute.googleapis.com/TargetPool compute.googleapis.com/TargetVpnGateway compute.googleapis.com/UrlMap compute.googleapis.com/VpnGateway compute.googleapis.com/VpnTunnel GKE container.googleapis.com/Cluster container.googleapis.com/NodePool Cloud Storage storage.googleapis.com/Bucket Cloud KMS cloudkms.googleapis.com/CryptoKey¹ cloudkms.googleapis.com/CryptoKeyVersion¹ cloudkms.googleapis.com/ImportJob² cloudkms.googleapis.com/KeyRing¹ Dataproc dataproc.googleapis.com/Cluster BigQuery bigquery.googleapis.com/Dataset Dataflow dataflow.googleapis.com/Job³ Cloud SQL sqladmin.googleapis.com/Instance Cloud Composer composer.googleapis.com/Environment Logging logging.googleapis.com/LogBucket Pub/Sub pubsub.googleapis.com/Topic Vertex AI aiplatform.googleapis.com/BatchPredictionJob aiplatform.googleapis.com/CustomJob aiplatform.googleapis.com/DataLabelingJob aiplatform.googleapis.com/Dataset aiplatform.googleapis.com/Endpoint aiplatform.googleapis.com/HyperparameterTuningJob aiplatform.googleapis.com/Model aiplatform.googleapis.com/SpecialistPool aiplatform.googleapis.com/TrainingPipeline Artifact Registry artifactregistry.googleapis.com/Repository ¹ Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed. ² Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys. ³ Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data.

Pub/Sub vulnerability findings

Vulnerabilities of this detector type all relate to Pub/Sub configurations, and belong to the PUBSUB_SCANNER type.

**Table 17.** Pub/Sub scanner
Detector	Summary	Asset scan settings	Compliance standards
`Pubsub CMEK disabled` Category name in the API: `PUBSUB_CMEK_DISABLED`	Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets pubsub.googleapis.com/Topic Fix this finding	Checks the `kmsKeyName` field for the resource name of your CMEK. Real-time scans: Yes

SQL vulnerability findings

Vulnerabilities of this detector type all relate to Cloud SQL configurations, and belong to the SQL_SCANNER type.

**Table 18.** SQL scanner
Detector	Summary	Asset scan settings	Compliance standards
`Auto backup disabled` Category name in the API: `AUTO_BACKUP_DISABLED`	Finding description: A Cloud SQL database doesn't have automatic backups enabled. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the `backupConfiguration.enabled` property of an Cloud SQL data is set to `true`. Assets excluded from scans: Cloud SQL replicas Additional inputs: Reads IAM allow policies for ancestors from Security Health Analytics asset storage Real-time scans: Yes	CIS GCP Foundation 1.1: 6.7 CIS GCP Foundation 1.2: 6.7 CIS GCP Foundation 1.3: 6.7 NIST 800-53: CP-9 ISO-27001: A.12.3.1
`Public SQL instance` Category name in the API: `PUBLIC_SQL_INSTANCE`	Finding description: A Cloud SQL database instance accepts connections from all IP addresses. Pricing tier: Premium or Standard Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the `authorizedNetworks` property of Cloud SQL instances is set to a single IP address or an IP address range. Real-time scans: Yes	CIS GCP Foundation 1.0: 6.2 CIS GCP Foundation 1.1: 6.5 CIS GCP Foundation 1.2: 6.5 CIS GCP Foundation 1.3: 6.5 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: CA-3, SC-7 ISO-27001: A.8.2.3, A.13.1.3, A.14.1.3
`SSL not enforced` Category name in the API: `SSL_NOT_ENFORCED`	Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium or Standard Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the `requireSsl` property of the Cloud SQL instance is set to `true`. Real-time scans: Yes	CIS GCP Foundation 1.0: 6.1 CIS GCP Foundation 1.1: 6.4 CIS GCP Foundation 1.2: 6.4 CIS GCP Foundation 1.3: 6.4 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.8.2.3, A.13.2.1, A.14.1.3
`SQL CMEK disabled` Category name in the API: `SQL_CMEK_DISABLED`	Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `kmsKeyName` field in the `diskEncryptionKey` object, in instance metadata, for the resource name of your CMEK. Real-time scans: Yes
`SQL contained database authentication` Category name in the API: `SQL_CONTAINED_DATABASE_AUTHENTICATION`	Finding description: The `contained database authentication` database flag for a Cloud SQL for SQL Server instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair, `"name"`: `"contained database authentication"`, `"value"`: `"on"` or whether it is enabled by default. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.3.2 CIS GCP Foundation 1.2: 6.3.7 CIS GCP Foundation 1.3: 6.3.7
`SQL cross DB ownership chaining` Category name in the API: `SQL_CROSS_DB_OWNERSHIP_CHAINING`	Finding description: The `cross_db_ownership_chaining` database flag for a Cloud SQL for SQL Server instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"cross_db_ownership_chaining"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.3.1 CIS GCP Foundation 1.2: 6.3.2 CIS GCP Foundation 1.3: 6.3.2
`SQL external scripts enabled` Category name in the API: `SQL_EXTERNAL_SCRIPTS_ENABLED`	Finding description: The `external scripts enabled` database flag for a Cloud SQL for SQL Server instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"external scripts enabled"`, `"value": "off"`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.3.1 CIS GCP Foundation 1.3: 6.3.1
`SQL local infile` Category name in the API: `SQL_LOCAL_INFILE`	Finding description: The `local_infile` database flag for a Cloud SQL for MySQL instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"local_infile"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.1.2 CIS GCP Foundation 1.2: 6.1.3 CIS GCP Foundation 1.3: 6.1.3
`SQL log checkpoints disabled` Category name in the API: `SQL_LOG_CHECKPOINTS_DISABLED`	Finding description: The `log_checkpoints` database flag for a Cloud SQL for PostgreSQL instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_checkpoints"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.1 CIS GCP Foundation 1.2: 6.2.1
`SQL log connections disabled` Category name in the API: `SQL_LOG_CONNECTIONS_DISABLED`	Finding description: The `log_connections` database flag for a Cloud SQL for PostgreSQL instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_connections"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.2 CIS GCP Foundation 1.2: 6.2.3 CIS GCP Foundation 1.3: 6.2.2
`SQL log disconnections disabled` Category name in the API: `SQL_LOG_DISCONNECTIONS_DISABLED`	Finding description: The `log_disconnections` database flag for a Cloud SQL for PostgreSQL instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_disconnections"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.3 CIS GCP Foundation 1.2: 6.2.4 CIS GCP Foundation 1.3: 6.2.3
`SQL log duration disabled` Category name in the API: `SQL_LOG_DURATION_DISABLED`	Finding description: The `log_duration` database flag for a Cloud SQL for PostgreSQL instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_duration"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.5
`SQL log error verbosity` Category name in the API: `SQL_LOG_ERROR_VERBOSITY`	Finding description: The `log_error_verbosity` database flag for a Cloud SQL for PostgreSQL instance is not set to `default` or stricter. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_error_verbosity` field is set to `default` or `terse`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.2 CIS GCP Foundation 1.3: 6.2.1
`SQL log lock waits disabled` Category name in the API: `SQL_LOG_LOCK_WAITS_DISABLED`	Finding description: The `log_lock_waits` database flag for a Cloud SQL for PostgreSQL instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_lock_waits"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.4 CIS GCP Foundation 1.2: 6.2.6
`SQL log min duration statement enabled` Category name in the API: `SQL_LOG_MIN_DURATION_STATEMENT_ENABLED`	Finding description: The `log_min_duration_statement` database flag for a Cloud SQL for PostgreSQL instance is not set to "-1". Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_min_duration_statement"`, `"value": "-1"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.7 CIS GCP Foundation 1.2: 6.2.16 CIS GCP Foundation 1.3: 6.2.8
`SQL log min error statement` Category name in the API: `SQL_LOG_MIN_ERROR_STATEMENT`	Finding description: The `log_min_error_statement` database flag for a Cloud SQL for PostgreSQL instance is not set appropriately. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the `log_min_error_statement` field of the `databaseFlags` property is set to one of the following values: `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, or the default value `error`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.5
`SQL log min error statement severity` Category name in the API: `SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY`	Finding description: The `log_min_error_statement` database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the `log_min_error_statement` field of the `databaseFlags` property is set to one of the following values: `error`, `log`, `fatal`, or `panic`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.14 CIS GCP Foundation 1.3: 6.2.7
`SQL log min messages` Category name in the API: `SQL_LOG_MIN_MESSAGES`	Finding description: The `log_min_messages` database flag for a Cloud SQL for PostgreSQL instance is not set to `warning` or another recommended value. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	To ensure adequate coverage of message types in the logs, issues a finding if the `log_min_messages` field of the `databaseFlags` property is not set to one of the following values: `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, or the default value `warning`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.13 CIS GCP Foundation 1.3: 6.2.6
`SQL log executor stats enabled` Category name in the API: `SQL_LOG_EXECUTOR_STATS_ENABLED`	Finding description: The `log_executor_status` database flag for a Cloud SQL for PostgreSQL instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_executor_status` field is set to `on`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.11
`SQL log hostname enabled` Category name in the API: `SQL_LOG_HOSTNAME_ENABLED`	Finding description: The `log_hostname` database flag for a Cloud SQL for PostgreSQL instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_hostname` field is set to `on`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.8
`SQL log parser stats enabled` Category name in the API: `SQL_LOG_PARSER_STATS_ENABLED`	Finding description: The `log_parser_stats` database flag for a Cloud SQL for PostgreSQL instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_parser_stats` field is set to `on`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.9
`SQL log planner stats enabled` Category name in the API: `SQL_LOG_PLANNER_STATS_ENABLED`	Finding description: The `log_planner_stats` database flag for a Cloud SQL for PostgreSQL instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_planner_stats` field is set to `on`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.10
`SQL log statement` Category name in the API: `SQL_LOG_STATEMENT`	Finding description: The `log_statement` database flag for a Cloud SQL for PostgreSQL instance is not set to `Ddl` (all data definition statements). Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_statement` field is set to `Ddl`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.7 CIS GCP Foundation 1.3: 6.2.4
`SQL log statement stats enabled` Category name in the API: `SQL_LOG_STATEMENT_STATS_ENABLED`	Finding description: The `log_statement_stats` database flag for a Cloud SQL for PostgreSQL instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks if the `databaseFlags` property of instance metadata for the `log_statement_stats` field is set to `on`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.2.12
`SQL log temp files` Category name in the API: `SQL_LOG_TEMP_FILES`	Finding description: The `log_temp_files` database flag for a Cloud SQL for PostgreSQL instance is not set to "0". Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"log_temp_files"`, `"value": "0"`. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.2.6 CIS GCP Foundation 1.2: 6.2.15
`SQL no root password` Category name in the API: `SQL_NO_ROOT_PASSWORD`	Finding description: A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the `rootPassword` property of the root account is empty. Additional IAM permissions: `roles/cloudsql.client` Additional inputs: Queries live instances Real-time scans: No	CIS GCP Foundation 1.0: 6.3 CIS GCP Foundation 1.1: 6.1.1 CIS GCP Foundation 1.2: 6.1.1 CIS GCP Foundation 1.3: 6.1.1 PCI-DSS v3.2.1: 2.1 NIST 800-53: AC-3 ISO-27001: A.8.2.3, A.9.4.2
`SQL public IP` Category name in the API: `SQL_PUBLIC_IP`	Finding description: A Cloud SQL database has a public IP address. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks whether the IP address type of an Cloud SQL database is set to `Primary`, indicating it is public. Real-time scans: Yes	CIS GCP Foundation 1.1: 6.6 CIS GCP Foundation 1.2: 6.6 CIS GCP Foundation 1.3: 6.6
`SQL remote access enabled` Category name in the API: `SQL_REMOTE_ACCESS_ENABLED`	Finding description: The `remote access` database flag for a Cloud SQL for SQL Server instance is not set to `off`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"remote access"`, `"value": "off"`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.3.5 CIS GCP Foundation 1.3: 6.3.5
`SQL skip show database disabled` Category name in the API: `SQL_SKIP_SHOW_DATABASE_DISABLED`	Finding description: The `skip_show_database` database flag for a Cloud SQL for MySQL instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"skip_show_database"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.1.2 CIS GCP Foundation 1.3: 6.1.2
`SQL trace flag 3625` Category name in the API: `SQL_TRACE_FLAG_3625`	Finding description: The `3625 (trace flag)` database flag for a Cloud SQL for SQL Server instance is not set to `on`. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"3625 (trace flag)"`, `"value": "on"`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.3.6
`SQL user connections configured` Category name in the API: `SQL_USER_CONNECTIONS_CONFIGURED`	Finding description: The `user connections` database flag for a Cloud SQL for SQL Server instance is configured. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"user connections"`, `"value": "0"`. Real-time scans: Yes	CIS GCP Foundation 1.2: 6.3.3
`SQL user options configured` Category name in the API: `SQL_USER_OPTIONS_CONFIGURED`	Finding description: The `user options` database flag for a Cloud SQL for SQL Server instance is configured. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Checks the `databaseFlags` property of instance metadata for the key-value pair `"name"`: `"user options"`, `"value": ""` (empty). Real-time scans: Yes	CIS GCP Foundation 1.2: 6.3.4 CIS GCP Foundation 1.3: 6.3.4
`SQL weak root password` Category name in the API: `SQL_WEAK_ROOT_PASSWORD`	Finding description: A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets sqladmin.googleapis.com/Instance Fix this finding	Compares the password for the root account of your Cloud SQL database to a list of common passwords. Additional IAM permissions: `roles/cloudsql.client` Additional inputs: Queries live instances Real-time scans: No

Storage vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Storage Buckets configurations, and belong to theSTORAGE_SCANNERtype.

**Table 19.** Storage scanner
Detector	Summary	Asset scan settings	Compliance standards
`Bucket CMEK disabled` Category name in the API: `BUCKET_CMEK_DISABLED`	Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium Supported assets storage.googleapis.com/Bucket Fix this finding	Checks the `encryption` field in bucket metadata for the resource name of your CMEK. Real-time scans: Yes
`Bucket policy only disabled` Category name in the API: `BUCKET_POLICY_ONLY_DISABLED`	Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. Pricing tier: Premium Supported assets storage.googleapis.com/Bucket Fix this finding	Checks whether the `uniformBucketLevelAccess` property on a bucket is set to `"enabled":false` Real-time scans: Yes	CIS GCP Foundation 1.2: 5.2 CIS GCP Foundation 1.3: 5.2
`Public bucket ACL` Category name in the API: `PUBLIC_BUCKET_ACL`	Finding description: A Cloud Storage bucket is publicly accessible. Pricing tier: Premium or Standard Supported assets storage.googleapis.com/Bucket Fix this finding	Checks the IAM allow policy of a bucket for public roles, `allUsers` or `allAuthenticatedUsers`, with admin or editor privileges. Real-time scans: Yes	CIS GCP Foundation 1.0: 5.1 CIS GCP Foundation 1.1: 5.1 CIS GCP Foundation 1.2: 5.1 CIS GCP Foundation 1.3: 5.1 PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3
`Public log bucket` Category name in the API: `PUBLIC_LOG_BUCKET`	Finding description: A storage bucket used as a log sink is publicly accessible. This finding isn't available for project-level activations. Pricing tier: Premium or Standard Supported assets storage.googleapis.com/Bucket Fix this finding	Checks the IAM allow policy of a bucket for the principals `allUsers` or `allAuthenticatedUsers`, which grant public access. Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket Real-time scans: Yes, but only if IAM policy on bucket changes, not if log sink is changed	PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-9 ISO-27001: A.8.2.3, A.12.4.2, A.18.1.3

Subnetwork vulnerability findings

Vulnerabilities of this detector type all relate to an organization's subnetwork configurations, and belong to theSUBNETWORK_SCANNERtype.

**Table 20.** Subnetwork scanner
Detector	Summary	Asset scan settings	Compliance standards
`Flow logs disabled` Category name in the API: `FLOW_LOGS_DISABLED`	Finding description: There is a VPC subnetwork that has flow logs disabled. Pricing tier: Premium Supported assets compute.googleapis.com/Subnetwork Fix this finding	Checks whether the `enableFlowLogs` property of Compute Engine subnetworks is missing or set to `false`. Assets excluded from scans: Serverless VPC Access, load balancer subnetworks Real-time scans: Yes	CIS GCP Foundation 1.0: 3.9 CIS GCP Foundation 1.1: 3.8 CIS GCP Foundation 1.2: 3.8 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1
`Flow logs settings not recommended` Category name in the API: `VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED`	Finding description: For a VPC subnetwork, VPC Flow Logs is either off or is not configured according to CIS Benchmark 1.3 recommendations. Pricing tier: Premium Supported assets compute.googleapis.com/Subnetwork Fix this finding	Checks whether the `enableFlowLogs` property of VPC subnetworks is missing or set to `false`. If VPC Flow Logs is enabled, checks the `Aggregation Interval` property set to 5 SEC, the `Include metadata` set to `true`, the `Sample rate` to `100%`. Assets excluded from scans: Serverless VPC Access, load balancer subnetworks Real-time scans: Yes	CIS GCP Foundation 1.3: 3.8
`Private Google access disabled` Category name in the API: `PRIVATE_GOOGLE_ACCESS_DISABLED`	Finding description: There are private subnetworks without access to Google public APIs. Pricing tier: Premium Supported assets storage.googleapis.com/Bucket compute.googleapis.com/Subnetwork Fix this finding	Checks whether the `privateIpGoogleAccess` property of Compute Engine subnetworks is set to `false`. Real-time scans: Yes	CIS GCP Foundation 1.0: 3.8

Web Security Scanner findings

Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

**Table 21.** Web Security Scanner findings
Category	Finding description	OWASP 2017 Top 10	OWASP 2021 Top 10
`Accessible Git repository` Category name in the API: `ACCESSIBLE_GIT_REPOSITORY`	A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository. Pricing tier: Standard Fix this finding	A5	A01
`Accessible SVN repository` Category name in the API: `ACCESSIBLE_SVN_REPOSITORY`	An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository. Pricing tier: Standard Fix this finding	A5	A01
`Cacheable password input` Category name in the API: `CACHEABLE_PASSWORD_INPUT`	Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage. Pricing tier: Premium Fix this finding	A3	A04
`Clear text password` Category name in the API: `CLEAR_TEXT_PASSWORD`	Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network. Pricing tier: Standard Fix this finding	A3	A02
`Insecure allow origin ends with validation` Category name in the API: `INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION`	A cross-site HTTP or HTTPS endpoint validates only a suffix of the `Origin` request header before reflecting it inside the `Access-Control-Allow-Origin` response header. To resolve this finding, validate that the expected root domain is part of the `Origin` header value before reflecting it in the `Access-Control-Allow-Origin` response header. For subdomain wildcards, prepend the dot to the root domain—for example, `.endsWith(".google.com")`. Pricing tier: Premium Fix this finding	A5	A01
`Insecure allow origin starts with validation` Category name in the API: `INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION`	A cross-site HTTP or HTTPS endpoint validates only a prefix of the `Origin` request header before reflecting it inside the `Access-Control-Allow-Origin` response header. To resolve this finding, validate that the expected domain fully matches the `Origin` header value before reflecting it in the `Access-Control-Allow-Origin` response header—for example, `.equals(".google.com")`. Pricing tier: Premium Fix this finding	A5	A01
`Invalid content type` Category name in the API: `INVALID_CONTENT_TYPE`	A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set `X-Content-Type-Options` HTTP header with the correct value. Pricing tier: Standard