Security Health Analytics and Web Security Scanner detectors generate vulnerability finding types that are available in Security Command Center.
Detectors and compliance
The following tables describe the detector types and specific vulnerability finding types that Security Health Analytics and Web Security Scanner can generate. You can filter findings by detector name and finding type using the Security Command Center Vulnerabilities tab in the Google Cloud Console.
These tables include a description of the mapping between supported detectors and the best effort mapping to relevant compliance regimes.
The CIS Google Cloud Foundation 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment for the CIS Google Cloud Computing Foundations Benchmark v1.0.0. Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0), Payment Card Industry Data Security Standard 3.2 (PCI-DSS v3.2), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.
This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification or report of compliance of your products or services with any regulatory or industry benchmarks or standards.
Security Health Analytics
Following are finding types that are identified by Security Health Analytics detectors.
2-Step verification findings
The 2SV_SCANNER detector identifies vulnerabilities related to 2-step verification
for users.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
2SV_NOT_ENFORCED |
There are users who aren't using 2-step verification. | 1.2 | IA-2 | A.9.4.2 |
API key vulnerability findings
The API_KEY_SCANNER detector identifies vulnerabilities related to
API keys used in your cloud deployment.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
API_KEY_APIS_UNRESTRICTED |
There are API keys being used too broadly. To resolve this, limit the API key usage to allow only the APIs needed by the application. | 1.11 | ||||
API_KEY_APPS_UNRESTRICTED |
There are API keys being used in an unrestricted way, allowing use by any untrusted app. | |||||
API_KEY_EXISTS |
A project is using API keys instead of standard authentication. | 1.10 | ||||
API_KEY_NOT_ROTATED |
The API key hasn't been rotated for more than 90 days. | 1.13 |
Compute image vulnerability findings
The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to
Google Cloud image configurations.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
PUBLIC_COMPUTE_IMAGE |
A Compute Engine image is publicly accessible. |
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to
Google Cloud instance configurations.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED |
Project-wide SSH keys are used, allowing login to all instances in the project. | 4.2 | ||||
COMPUTE_SECURE_BOOT_DISABLED |
This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. | 4.8 | ||||
COMPUTE_SERIAL_PORTS_ENABLED |
Serial ports are enabled for an instance, allowing connections to the instance's serial console. | 4.4 | ||||
DISK_CSEK_DISABLED |
Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This
detector requires additional configuration to enable. To enable this detector, apply the
security mark
enforce_customer_supplied_disk_encryption_keys with a value of true
to the assets you want to monitor.
|
4.6 | ||||
FULL_API_ACCESS |
An instance is configured to use the default service account with full access to all Google Cloud APIs. | 4.1 | AC-6 | A.9.2.3 | ||
IP_FORWARDING_ENABLED |
IP forwarding is enabled on instances. | 4.5 | ||||
OS_LOGIN_DISABLED |
OS Login is disabled on this instance. | 4.3 | ||||
PUBLIC_IP_ADDRESS |
An instance has a public IP address. |
1.2.1
1.3.5 |
CA-3
SC-7 |
|||
WEAK_SSL_POLICY |
An instance has a weak SSL policy. | SC-7 | A.14.1.3 |
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
AUTO_REPAIR_DISABLED |
The GKE clusters auto repair feature, which keeps nodes in a healthy, running state, is disabled. | 7.7 | ||||
AUTO_UPGRADE_DISABLED |
GKE clusters auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. | 7.8 | ||||
CLUSTER_LOGGING_DISABLED |
Logging isn't enabled for a GKE cluster. | 7.1 | ||||
CLUSTER_MONITORING_DISABLED |
Cloud Monitoring is disabled on GKE clusters. | 7.2 |
10.2.2
10.2.7 |
|||
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED |
Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. | 7.16 | 1.3 | |||
COS_NOT_USED |
Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. | 7.9 | 2.2 | |||
IP_ALIAS_DISABLED |
A GKE cluster was created with alias IP ranges disabled. | 7.13 |
1.3.4
1.3.7 |
|||
LEGACY_AUTHORIZATION_ENABLED |
Legacy Authorization is enabled on GKE clusters. | 7.3 | 4.1 | |||
LEGACY_METADATA_ENABLED |
Legacy metadata is enabled on GKE clusters. | |||||
MASTER_AUTHORIZED_NETWORKS_DISABLED |
Master authorized networks is not enabled on GKE clusters. | 7.4 | ||||
NETWORK_POLICY_DISABLED |
Network policy is disabled on GKE clusters. | 7.11 | 1.3 | SC-7 | A.13.1.1 | |
OVER_PRIVILEGED_ACCOUNT |
A service account has overly broad project access in a cluster. | 7.17 | 2.1 |
AC-6
SC-7 |
A.9.2.3 | |
OVER_PRIVILEGED_SCOPES |
A node service account has broad access scopes. | 7.18 | ||||
POD_SECURITY_POLICY_DISABLED |
That PodSecurityPolicy is disabled on a GKE cluster.
|
7.14 | ||||
PRIVATE_CLUSTER_DISABLED |
A GKE cluster has a Private cluster disabled. | 7.15 | ||||
WEB_UI_ENABLED |
The GKE web UI (dashboard) is enabled. | 7.6 |
6.5.8
6.6 |
|||
WORKLOAD_IDENTITY_DISABLED |
Workload Identity is disabled on a GKE cluster. |
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
PUBLIC_DATASET |
A dataset is configured to be open to public access. | AC-3 |
A.8.2.3
A.14.1.3 |
DNS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud DNS configurations,
and belong to the DNS_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
DNSSEC_DISABLED |
DNSSEC is disabled for Cloud DNS zones. | 3.3 | A.8.2.3 | |||
RSASHA1_FOR_SIGNING |
RSASHA1 is used for key signing in Cloud DNS zones. |
3.4
3.5 |
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
FIREWALL_RULE_LOGGING_DISABLED |
Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. | 10.1 | SI-4 | A.13.1.1 | ||
OPEN_FIREWALL |
A firewall is configured to be open to public access. | 1.2.1 | ||||
OPEN_RDP_PORT |
A firewall is configured to have an open RDP port that allows generic access. | 3.7 | 1.2.1 | SC-7 | A.13.1.1 | |
OPEN_SSH_PORT |
A firewall is configured to have an open SSH port that allows generic access. | 3.6 | 1.2.1 | SC-7 | A.13.1.1 |
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Identity and Access Management (Cloud IAM)
configuration, and belong to the IAM_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
ADMIN_SERVICE_ACCOUNT |
There is a service account configured with administrator roles. | 1.4 | ||||
KMS_PROJECT_HAS_OWNER |
A user has "Owner" permissions on a project that has cryptographic keys. | 3.5 |
AC-6
SC-12 |
A.9.2.3
A.10.1.2 |
||
KMS_ROLE_SEPARATION |
Separation of duties is not enforced, and a user exists who has any of the: Cloud Key Management Service (Cloud KMS) CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter roles at the same time. | 1.9 | AC-5 |
A.9.2.3
A.10.1.2 |
||
NON_ORG_IAM_MEMBER |
There is a user who isn't using organizational credentials. | 1.1 | 7.1.2 | AC-3 | A.9.2.3 | |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER |
A user has the Service Account User role at the project level, instead of for a specific service account. | 1.5 | 7.1.2 | AC-6 | A.9.2.3 | |
PRIMITIVE_ROLES_USED |
A user has the primitive role Owner, Writer, or Reader. These roles are too permissive and shouldn't be used. | 7.1.2 | AC-6 | A.9.2.3 | ||
REDIS_ROLE_USED_ON_ORG |
A Redis IAM role is assigned at the organization or folder level. | 8.7 | A.9.2.3 | |||
SERVICE_ACCOUNT_ROLE_SEPARATION |
A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. | 1.7 | AC-5 | |||
SERVICE_ACCOUNT_KEY_NOT_ROTATED |
A service account key hasn't been rotated for more than 90 days. | 1.6 | ||||
USER_MANAGED_SERVICE_ACCOUNT_KEY |
A service account key is managed by a user. | 1.3 |
KMS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud KMS
configurations, and belong to the KMS_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
KMS_KEY_NOT_ROTATED |
Rotation isn't configured on a Cloud KMS encryption key. | 1.8 | SC-12 | A.10.1.2 | ||
TOO_MANY_KMS_USERS |
There are more than 3 users of cryptographic keys. | 3.5.2 | A.9.2.3 |
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER detector type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
AUDIT_LOGGING_DISABLED |
Audit logging has been disabled for this resource. | 2.1 | 10.2.3 | AU-2 |
A.12.4.1
A.16.1.7 |
|
BUCKET_LOGGING_DISABLED |
There is a storage bucket without logging enabled. | 5.3 | ||||
LOG_NOT_EXPORTED |
There is a resource that doesn't have an appropriate log sink configured. | 2.2 | 10.2.3 | A.18.1.3 | ||
OBJECT_VERSIONING_DISABLED |
Object versioning isn't enabled on a storage bucket where sinks are configured. | 2.3 | 10.2.3 | |||
PUBLIC_LOG_BUCKET |
Storage buckets used as log sinks should not be publicly accessible. | 10.5 | AU-9 |
A.8.2.3
A.12.4.2 A.18.1.3 |
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER type. All Monitoring detector finding
properties will include:
-
The
RecommendedLogFilterto use in creating the log metrics. -
The
QualifiedLogMetricNamesthat cover the conditions listed in the recommended log filter. -
The
AlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies do not have the recommended settings.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
AUDIT_CONFIG_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor Audit Configuration Changes. | 2.5 | ||||
BUCKET_IAM_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor Cloud Storage Cloud IAM permission changes. | 2.10 | 1.3.2 | |||
CUSTOM_ROLE_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor Custom Role changes. | 2.6 | ||||
FIREWALL_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor VPC Network Firewall rule changes. | 2.7 | ||||
NETWORK_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor VPC network changes. | 2.9 | ||||
OWNER_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. | 2.4 | ||||
ROUTE_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor VPC network route changes. | 2.8 | ||||
SQL_INSTANCE_NOT_MONITORED |
Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. | 2.11 |
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNERtype.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
DEFAULT_NETWORK |
The default network exists in a project. | 3.1 | ||||
LEGACY_NETWORK |
A legacy network exists in a project. | 3.2 |
SSH password vulnerability findings
Vulnerabilities of this detector type all relate to passwords, and belong to the
SSH_PASSWORD type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
WEAK_SSH_PASSWORD |
A resource has a weak SSH password. |
SQL vulnerability findings
Vulnerabilities of this detector type all relate to Cloud SQL
configurations, and belong to the SQL_SCANNER type.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
AUTO_BACKUP_DISABLED |
A Cloud SQL database doesn't have automatic backups enabled. | 10.2.1 | CA-3 | A.12.3.1 | ||
PUBLIC_SQL_INSTANCE |
A Cloud SQL database instance accepts connections from all IP addresses. | 6.2 | 1.2.1 |
CA-3
SC-7 |
A.8.2.3
A.13.1.3 A.14.1.3 |
|
SSL_NOT_ENFORCED |
A Cloud SQL database instance doesn't require all incoming connections to use SSL. | 6.1 | 2.3 | SC-7 |
A.8.2.3
A.13.2.1 A.14.1.3 |
|
SQL_NO_ROOT_PASSWORD |
A Cloud SQL database doesn't have a password configured for the root account. | |||||
SQL_WEAK_ROOT_PASSWORD |
A Cloud SQL database has a weak password configured for the root account. |
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNERtype.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
BUCKET_POLICY_ONLY_DISABLED |
Uniform bucket-level access, previously called Bucket Policy Only,
isn't configured.
|
|||||
LOGGING_DISABLED |
Logging is disabled for a Cloud Storage bucket. | |||||
PUBLIC_BUCKET_ACL |
A Cloud Storage bucket is publicly accessible. | 5.1 | 7.1 | AC-2 |
A.8.2.3
A.14.1.3 |
Subnetwork vulnerability findings
Vulnerabilities of this detector type all relate to an organization's subnetwork
configurations, and belong to theSUBNETWORK_SCANNERtype.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
FLOW_LOGS_DISABLED |
There is a VPC subnetwork that has flow logs disabled. | 3.9 | SI-4 | A.13.1.1 | ||
PRIVATE_GOOGLE_ACCESS_DISABLED |
There are private subnets without access to Google public APIs. | 3.8 |
Web Security Scanner findings
Following are finding types that are identified by Web Security Scanner custom and managed scans.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
ACCESSIBLE_GIT_REPOSITORY |
A GIT repository is exposed publicly. To resolve this, remove unintentional public access to the GIT repository. | A3 | ||||
ACCESSIBLE_SVN_REPOSITORY |
An SVN repository is exposed publicly. To resolve this, remove public unintentional access to the SVN repository. | A3 | ||||
CLEAR_TEXT_PASSWORD |
Passwords are being transmitted in clear text and can be intercepted. To resolve this, encrypt the password transmitted over the network. | A3 | ||||
INVALID_CONTENT_TYPE |
A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this, set `X-Content-Type-Options` HTTP header with the correct value. | A6 | ||||
INVALID_HEADER |
A security header has a syntax error and will be ignored by browsers. To resolve this, set HTTP security headers correctly. | A6 | ||||
MISMATCHING_SECURITY_HEADER_VALUES |
A security header has duplicated, mismatching values, which results in undefined behavior. To resolve this, set HTTP security headers correctly. | A6 | ||||
MISSPELLED_SECURITY_HEADER_NAME |
A security header is misspelled and will be ignored. To resolve this, set HTTP security headers correctly. | A6 | ||||
MIXED_CONTENT |
Resources are being served over HTTP on an HTTPS page. To resolve this, make sure that all resources are served over HTTPS. | A6 | ||||
OUTDATED_LIBRARY |
A library was detected that has known vulnerabilities. To resolve this, upgrade libraries to a newer version. | A9 | ||||
XSS |
A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this, validate and escape untrusted user-supplied data. | A7 | ||||
XSS_ANGULAR_CALLBACK |
A user-provided string isn't escaped and can be interpolated by AngularJS. To resolve this, validate and escape untrusted user-supplied data handled by Angular framework. | A7 | ||||
XSS_ERROR |
A field in this web application is vulnerable to a cross-site scripting attack. To resolve this, validate and escape untrusted user-supplied data. | A7 |
CIS benchmarks
The Center for Internet Security (CIS) includes the following benchmarks that aren't supported by Web Security Scanner or Security Health Analytics detectors at this time:
| Category | Finding description | CIS GCP Foundation 1.0 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|
BASIC_AUTHENTICATION_ENABLED |
IAM or client certificate authentication should be enabled on Kubernetes Clusters. | 7.10 | ||
CLIENT_CERT_AUTHENTICATION_DISABLED |
Kubernetes Clusters should be created with Client Certificate enabled. | 7.12 | ||
LABELS_NOT_USED |
Labels can be used to breakdown billing information. | 7.5 | ||
PUBLIC_STORAGE_OBJECT |
Storage object ACL should not grant access to AllUsers. | 5.2 | ||
SQL_BROAD_ROOT_LOGIN |
Root access to a SQL database should be limited to allow-listed trusted IPs. | 6.4 |
What's next
- Learn how to use Security Health Analytics and how to use Web Security Scanner.
- Read suggestions for remediating Security Health Analytics findings and remediating Web Security Scanner findings.