Rapid Vulnerability Detection, Security Health Analytics, and Web Security Scanner detectors generate vulnerabilities findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.
Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.
Detectors and compliance
This section describes the mapping between supported detectors and the best effort mapping to relevant compliance standards.
CIS Benchmarks
Security Command Center supports the following versions of the CIS Benchmarks for Google Cloud Platform Foundation:
- CIS Google Cloud Computing Foundations Benchmark v1.2.0 (CIS Google Cloud Foundation 1.2)
- CIS Google Cloud Computing Foundations Benchmark v1.1.0 (CIS Google Cloud Foundation 1.1)
- CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0)
The CIS Google Cloud Foundation 1.2, 1.1, and 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment with CIS Google Cloud Computing Foundations Benchmark v1.2.0, v1.1.0, and v1.0.0, respectively.
While CIS 1.0 and CIS 1.1 are still supported, they will eventually be deprecated. We recommend that you use or transition to use the latest benchmark, CIS 1.2.
Some detectors are mapped to the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0 (CIS GKE 1.0). Support for this benchmark is limited and it should not be used as the basis for audits or reporting compliance.
Additional standards
Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.
This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.
For instructions on viewing and exporting compliance reports, see the Compliance section in Using the Security Command Center dashboard.
Security Health Analytics
Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.
Security Health Analytics scans run in three modes:
Batch scan: All detectors are scheduled to run for all enrolled organizations or projects two or more times a day. Detectors run on different schedules to meet specific service level objectives (SLO). To meet 12- and 24-hour SLOs, detectors run batch scans every six hours or 12 hours, respectively. Resource and policy changes that occur in between batch scans are not immediately captured and are applied in the next batch scan. Note: Batch scan schedules are performance objectives, not service guarantees.
Real-time scan: Supported detectors start scans whenever CAI reports a change in an asset's configuration. Findings are immediately written to Security Command Center.
Mixed-mode: Some detectors that support real-time scans might not detect changes in real time in all supported assets. In those cases, configuration changes for some assets are captured immediately and others are captured in batch scans. Exceptions are noted in the tables on this page.
Detector enablement
Not all Security Health Analytics detectors are enabled by default. To turn on inactive detectors, see Enable and disable detectors.
Project-level activation detector support
When Security Command Center is activated at the project level, certain Security Health Analytics Premium detection modules are not supported. To determine if a finding is unsupported with project-level activations as a result, see either of the following:
- Security Health Analytics findings that are unsupported with project-level activations.
- The finding entry in Security Health Analytics findings. A finding is supported, unless the entry states that it is not.
Security Health Analytics findings
The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by detector name and finding type using the Security Command Center Vulnerabilities tab in the Google Cloud console.
For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.
API key vulnerability findings
The API_KEY_SCANNER
detector identifies vulnerabilities related to
API keys used in your cloud deployment.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
API key APIs unrestricted
Category name in the API: |
Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 1.12 CIS GCP Foundation 1.1: 1.14 CIS GCP Foundation 1.2: 1.14 |
API key apps unrestricted
Category name in the API: |
Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 1.11 CIS GCP Foundation 1.1: 1.13 CIS GCP Foundation 1.2: 1.13 |
API key exists
Category name in the API: |
Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium
Supported assets |
Retrieves all API keys owned by a project.
|
CIS GCP Foundation 1.0: 1.10 CIS GCP Foundation 1.1: 1.12 CIS GCP Foundation 1.2: 1.12 |
API key not rotated
Category name in the API: |
Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets |
Retrieves the timestamp contained in the
|
CIS GCP Foundation 1.0: 1.13 CIS GCP Foundation 1.1: 1.15 CIS GCP Foundation 1.2: 1.15 |
Compute image vulnerability findings
The COMPUTE_IMAGE_SCANNER
detector identifies vulnerabilities related to
Google Cloud image configurations.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Public Compute image
Category name in the API: |
Finding description: A Compute Engine image is publicly accessible. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM allow policy in resource
metadata for the principals
|
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER
detector identifies vulnerabilities related to
Compute Engine instance configurations.
COMPUTE_INSTANCE_SCANNER
detectors don't report findings on
Compute Engine instances created by GKE. Such instances have names that
start with "gke-", which users cannot edit. To secure these instances, refer to the
Container vulnerability findings section.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Confidential Computing disabled
Category name in the API: |
Finding description: Confidential Computing is disabled on a Compute Engine instance. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 4.11 |
Compute project wide SSH keys allowed
Category name in the API: |
Finding description: Project-wide SSH keys are used, allowing login to all instances in the project. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.2 CIS GCP Foundation 1.1: 4.3 CIS GCP Foundation 1.2: 4.3 |
Compute Secure Boot disabled
Category name in the API: |
Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. Pricing tier: Premium Supported assets |
Checks the
|
|
Compute serial ports enabled
Category name in the API: |
Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.4 CIS GCP Foundation 1.1: 4.5 CIS GCP Foundation 1.2: 4.5 |
Default service account used
Category name in the API: |
Finding description: An instance is configured to use the default service account. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 4.1 CIS GCP Foundation 1.2: 4.1 |
Disk CMEK disabled
Category name in the API: |
Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
Disk CSEK disabled
Category name in the API: |
Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.6 CIS GCP Foundation 1.1: 4.7 CIS GCP Foundation 1.2: 4.7 |
Full API access
Category name in the API: |
Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 4.1 CIS GCP Foundation 1.1: 4.2 CIS GCP Foundation 1.2: 4.2 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
HTTP load balancer
Category name in the API: |
Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Determines if the
|
PCI-DSS v3.2.1: 2.3 |
IP forwarding enabled
Category name in the API: |
Finding description: IP forwarding is enabled on instances. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 4.5 CIS GCP Foundation 1.1: 4.6 CIS GCP Foundation 1.2: 4.6 |
OS login disabled
Category name in the API: |
Finding description: OS Login is disabled on this instance. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.3 CIS GCP Foundation 1.1: 4.4 CIS GCP Foundation 1.2: 4.4 |
Public IP address
Category name in the API: |
Finding description: An instance has a public IP address. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 4.9 CIS GCP Foundation 1.2: 4.9 PCI-DSS v3.2.1: 1.2.1, 1.3.5 NIST 800-53: CA-3, SC-7 |
Shielded VM disabled
Category name in the API: |
Finding description: Shielded VM is disabled on this instance. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 4.8 CIS GCP Foundation 1.2: 4.8 |
Weak SSL policy
Category name in the API: |
Finding description: An instance has a weak SSL policy. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether
|
CIS GCP Foundation 1.1: 3.9 CIS GCP Foundation 1.2: 3.9 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.14.1.3 |
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Alpha cluster enabled
Category name in the API: |
Finding description: Alpha cluster features are enabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GKE 1.0: 6.10.2 |
Auto repair disabled
Category name in the API: |
Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.7 CIS GKE 1.0: 6.5.2 PCI-DSS v3.2.1: 2.2 |
Auto upgrade disabled
Category name in the API: |
Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.8 CIS GKE 1.0: 6.5.3 PCI-DSS v3.2.1: 2.2 |
Binary authorization disabled
Category name in the API: |
Finding description: Binary Authorization is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GKE 1.0: 6.10.5 |
Cluster logging disabled
Category name in the API: |
Finding description: Logging isn't enabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.7.1 PCI-DSS v3.2.1: 10.2.2, 10.2.7 |
Cluster monitoring disabled
Category name in the API: |
Finding description: Monitoring is disabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.2 CIS GKE 1.0: 6.7.1 PCI-DSS v3.2.1: 10.1, 10.2 |
Cluster private Google access disabled
Category name in the API: |
Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3 |
Cluster secrets encryption disabled
Category name in the API: |
Finding description: Application-layer secrets encryption is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.3.1 |
Cluster shielded nodes disabled
Category name in the API: |
Finding description: Shielded GKE nodes are not enabled for a cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.5 |
COS not used
Category name in the API: |
Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.9 CIS GKE 1.0: 6.5.1 PCI-DSS v3.2.1: 2.2 |
Integrity monitoring disabled
Category name in the API: |
Finding description: Integrity monitoring is disabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.6 |
Intranode visibility disabled
Category name in the API: |
Finding description: Intranode visibility is disabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.6.1 |
IP alias disabled
Category name in the API: |
Finding description: A GKE cluster was created with alias IP ranges disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.2 PCI-DSS v3.2.1: 1.3.4, 1.3.7 |
Legacy authorization enabled
Category name in the API: |
Finding description: Legacy Authorization is enabled on GKE clusters. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.3 CIS GKE 1.0: 6.8.3 PCI-DSS v3.2.1: 4.1 |
Legacy metadata enabled
Category name in the API: |
Finding description: Legacy metadata is enabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.4.1 |
Master authorized networks disabled
Category name in the API: |
Finding description: Control Plane Authorized Networks is not enabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.4 CIS GKE 1.0: 6.6.3 PCI-DSS v3.2.1: 1.2.1, 1.3.2 |
Network policy disabled
Category name in the API: |
Finding description: Network policy is disabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.7 PCI-DSS v3.2.1: 1.3 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Nodepool boot CMEK disabled
Category name in the API: |
Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
Nodepool secure boot disabled
Category name in the API: |
Finding description: Secure Boot is disabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.7 |
Over privileged account
Category name in the API: |
Finding description: A service account has overly broad project access in a cluster. Pricing tier: Premium
Supported assets |
Evaluates the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.2.1 PCI-DSS v3.2.1: 2.1, 7.1.2 NIST 800-53: AC-6, SC-7 ISO-27001: A.9.2.3 |
Over privileged scopes
Category name in the API: |
Finding description: A node service account has broad access scopes. Pricing tier: Premium
Supported assets |
Checks whether the access scope listed in the
config.oauthScopes property of a node pool is
a limited service account access scope:
https://www.googleapis.com/auth/devstorage.read_only ,
https://www.googleapis.com/auth/logging.write ,
or
https://www.googleapis.com/auth/monitoring .
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.2.1 |
Pod security policy disabled
Category name in the API: |
Finding description: PodSecurityPolicy is disabled on a GKE cluster. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.10.3 |
Private cluster disabled
Category name in the API: |
Finding description: A GKE cluster has a Private cluster disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 CIS GKE 1.0: 6.6.5 PCI-DSS v3.2.1: 1.3.2 |
Release channel disabled
Category name in the API: |
Finding description: A GKE cluster is not subscribed to a release channel. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GKE 1.0: 6.5.4 |
Web UI enabled
Category name in the API: |
Finding description: The GKE web UI (dashboard) is enabled. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.6 CIS GKE 1.0: 6.10.1 PCI-DSS v3.2.1: 6.6 |
Workload Identity disabled
Category name in the API: |
Finding description: Workload Identity is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GKE 1.0: 6.2.2 |
Dataproc vulnerability findings
Vulnerabilities of this detector type all relate to Dataproc and belong to the
DATAPROC_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Dataproc image outdated
Category name in the API: |
Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
BigQuery table CMEK disabled
Category name in the API: |
Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.2: 7.2 |
Dataset CMEK disabled
Category name in the API: |
Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
|
Public dataset
Category name in the API: |
Finding description: A dataset is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM allow policy in resource
metadata for the principals
|
CIS GCP Foundation 1.1: 7.1 CIS GCP Foundation 1.2: 7.1 PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3 |
DNS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud DNS configurations,
and belong to the DNS_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
DNSSEC disabled
Category name in the API: |
Finding description: DNSSEC is disabled for Cloud DNS zones. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.3 CIS GCP Foundation 1.1: 3.3 CIS GCP Foundation 1.2: 3.3 ISO-27001: A.8.2.3 |
RSASHA1 for signing
Category name in the API: |
Finding description: RSASHA1 is used for key signing in Cloud DNS zones. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.4, 3.5 CIS GCP Foundation 1.1: 3.4, 3.5 CIS GCP Foundation 1.2: 3.4, 3.5 |
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Egress deny rule not set
Category name in the API: |
Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 7.2 |
Firewall rule logging disabled
Category name in the API: |
Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1 |
Open Cassandra port
Category name in the API: |
Finding description: A firewall is configured to have an open Cassandra port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open ciscosecure websm port
Category name in the API: |
Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open directory services port
Category name in the API: |
Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open DNS port
Category name in the API: |
Finding description: A firewall is configured to have an open DNS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open elasticsearch port
Category name in the API: |
Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open firewall
Category name in the API: |
Finding description: A firewall is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets |
Checks the
| PCI-DSS v3.2.1: 1.2.1 |
Open FTP port
Category name in the API: |
Finding description: A firewall is configured to have an open FTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open HTTP port
Category name in the API: |
Finding description: A firewall is configured to have an open HTTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open LDAP port
Category name in the API: |
Finding description: A firewall is configured to have an open LDAP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open Memcached port
Category name in the API: |
Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open MongoDB port
Category name in the API: |
Finding description: A firewall is configured to have an open MONGODB port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open MySQL port
Category name in the API: |
Finding description: A firewall is configured to have an open MYSQL port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open NetBIOS port
Category name in the API: |
Finding description: A firewall is configured to have an open NETBIOS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open OracleDB port
Category name in the API: |
Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open pop3 port
Category name in the API: |
Finding description: A firewall is configured to have an open POP3 port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open PostgreSQL port
Category name in the API: |
Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open RDP port
Category name in the API: |
Finding description: A firewall is configured to have an open RDP port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 3.7 CIS GCP Foundation 1.1: 3.7 CIS GCP Foundation 1.2: 3.7 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open Redis port
Category name in the API: |
Finding description: A firewall is configured to have an open REDIS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open SMTP port
Category name in the API: |
Finding description: A firewall is configured to have an open SMTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open SSH port
Category name in the API: |
Finding description: A firewall is configured to have an open SSH port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.6 CIS GCP Foundation 1.1: 3.6 CIS GCP Foundation 1.2: 3.6 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
Open Telnet port
Category name in the API: |
Finding description: A firewall is configured to have an open TELNET port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Identity and Access Management (IAM)
configuration, and belong to the IAM_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards | ||
---|---|---|---|---|---|
Admin service account
Category name in the API: |
Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any user-created service accounts (indicated
by the prefix iam.gserviceaccount.com),
that are assigned
|
CIS GCP Foundation 1.0: 1.4 CIS GCP Foundation 1.1: 1.5 CIS GCP Foundation 1.2: 1.5 |
||
KMS role separation
Category name in the API: |
Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks IAM allow policies in resource metadata
and retrieves principals assigned any of the following
roles at the same time:
roles/cloudkms.cryptoKeyEncrypterDecrypter ,
roles/cloudkms.cryptoKeyEncrypter , and
roles/cloudkms.cryptoKeyDecrypter ,
roles/cloudkms.signer ,
roles/cloudkms.signerVerifier ,
roles/cloudkms.publicKeyViewer .
|
CIS GCP Foundation 1.0: 1.9 CIS GCP Foundation 1.1: 1.11 NIST 800-53: AC-5 ISO-27001: A.9.2.3, A.10.1.2 |
||
Non org IAM member
Category name in the API: |
Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. Pricing tier: Premium or Standard
Supported assets |
Compares @gmail.com email addresses in the
|
CIS GCP Foundation 1.0: 1.1 CIS GCP Foundation 1.1: 1.1 CIS GCP Foundation 1.2: 1.1 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-3 ISO-27001: A.9.2.3 |
||
Open group IAM member
Category name in the API: |
Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM
policy in resource
metadata for any bindings
containing a member (principal) that's prefixed with group . If the
group is an open group, Security Health Analytics generates this finding.
|
|||
Over privileged service account user
Category name in the API: |
Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any principals assigned
roles/iam.serviceAccountUser or
roles/iam.serviceAccountTokenCreator at the
project level.
|
CIS GCP Foundation 1.0: 1.5 CIS GCP Foundation 1.1: 1.6 CIS GCP Foundation 1.2: 1.6 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
||
Primitive roles used
Category name in the API: |
Finding description: A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any principals assigned
|
PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
||
Redis role used on org
Category name in the API: |
Finding description: A Redis IAM role is assigned at the organization or folder level. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets
|
Checks the IAM allow policy in resource
metadata for principals assigned
|
PCI-DSS v3.2.1: 7.1.2 ISO-27001: A.9.2.3 |
||
Service account role separation
Category name in the API: |
Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for any principals assigned both
roles/iam.serviceAccountUser and
roles/iam.serviceAccountAdmin .
|
CIS GCP Foundation 1.0: 1.7 CIS GCP Foundation 1.1: 1.8 CIS GCP Foundation 1.2: 1.8 NIST 800-53: AC-5 ISO-27001: A.9.2.3 |
||
Service account key not rotated
Category name in the API: |
Finding description: A service account key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets |
Evaluates the key creation timestamp captured in the
|
CIS GCP Foundation 1.0: 1.6 | CIS GCP Foundation 1.1: 1.7 | CIS GCP Foundation 1.2: 1.7 |
User managed service account key
Category name in the API: |
Finding description: A user manages a service account key. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 1.3 | CIS GCP Foundation 1.1: 1.4 | CIS GCP Foundation 1.2: 1.4 |
KMS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud KMS
configurations, and belong to the KMS_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
KMS key not rotated
Category name in the API: |
Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. Pricing tier: Premium
Supported assets |
Checks resource metadata for the existence of
|
CIS GCP Foundation 1.0: 1.8 CIS GCP Foundation 1.1: 1.10 CIS GCP Foundation 1.2: 1.10 PCI-DSS v3.2.1: 3.5 NIST 800-53: SC-12 ISO-27001: A.10.1.2 |
KMS project has owner
Category name in the API: |
Finding description: A user has Owner permissions on a project that has cryptographic keys. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in project
metadata for principals assigned
|
CIS GCP Foundation 1.1: 1.11 CIS GCP Foundation 1.2: 1.11 PCI-DSS v3.2.1: 3.5 NIST 800-53: AC-6, SC-12 ISO-27001: A.9.2.3, A.10.1.2 |
KMS public key
Category name in the API: |
Finding description: A Cloud KMS cryptographic key is publicly accessible. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for the principals
|
CIS GCP Foundation 1.1: 1.9 CIS GCP Foundation 1.2: 1.9 |
Too many KMS users
Category name in the API: |
Finding description: There are more than three users of cryptographic keys. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks IAM allow policies for key rings,
projects, and organizations, and retrieves principals with
roles that allow them to encrypt, decrypt or sign data using
Cloud KMS keys: roles/owner ,
roles/cloudkms.cryptoKeyEncrypterDecrypter ,
roles/cloudkms.cryptoKeyEncrypter ,
roles/cloudkms.cryptoKeyDecrypter ,
roles/cloudkms.signer , and
roles/cloudkms.signerVerifier .
|
PCI-DSS v3.2.1: 3.5.2 ISO-27001: A.9.2.3 |
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER
detector type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Audit logging disabled
Category name in the API: |
Finding description: Audit logging has been disabled for this resource. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the IAM allow policy in resource
metadata for the existence of an
|
CIS GCP Foundation 1.0: 2.1 CIS GCP Foundation 1.1: 2.1 CIS GCP Foundation 1.2: 2.1 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: AC-2, AU-2 ISO-27001: A.12.4.1, A.16.1.7 |
Bucket logging disabled
Category name in the API: |
Finding description: There is a storage bucket without logging enabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 5.3 |
Locked retention policy not set
Category name in the API: |
Finding description: A locked retention policy is not set for logs. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 2.3 CIS GCP Foundation 1.2: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3 |
Log not exported
Category name in the API: |
Finding description: There is a resource that doesn't have an appropriate log sink configured. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets
|
Retrieves a
|
CIS GCP Foundation 1.0: 2.2 CIS GCP Foundation 1.1: 2.2 CIS GCP Foundation 1.2: 2.2 ISO-27001: A.18.1.3 |
Object versioning disabled
Category name in the API: |
Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3 |
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER
type. All Monitoring detector finding
properties include:
-
The
RecommendedLogFilter
to use in creating the log metrics. -
The
QualifiedLogMetricNames
that cover the conditions listed in the recommended log filter. -
The
AlertPolicyFailureReasons
that indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Audit config not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:* ,
and if resource.type is specified, that the value is global .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.5 CIS GCP Foundation 1.1: 2.5 CIS GCP Foundation 1.2: 2.5 |
Bucket IAM not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gcs_bucket AND
protoPayload.methodName="storage.setIamPermissions" .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.10 CIS GCP Foundation 1.1: 2.10 CIS GCP Foundation 1.2: 2.10 |
Custom role not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="iam_role" AND
(protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.6 CIS GCP Foundation 1.1: 2.6 CIS GCP Foundation 1.2: 2.6 |
Firewall not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.delete") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.7 CIS GCP Foundation 1.1: 2.7 CIS GCP Foundation 1.2: 2.7 |
Network not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor VPC network changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.9 CIS GCP Foundation 1.1: 2.9 CIS GCP Foundation 1.2: 2.9 |
Owner not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee) OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") ,
and if resource.type is specified, that the value is global .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.4 CIS GCP Foundation 1.1: 2.4 CIS GCP Foundation 1.2: 2.4 |
Route not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert") .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.8 CIS GCP Foundation 1.1: 2.8 CIS GCP Foundation 1.2: 2.8 |
SQL instance not monitored
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="cloudsql.instances.update"
OR protoPayload.methodName="cloudsql.instances.create"
OR protoPayload.methodName="cloudsql.instances.delete" ,
and if resource.type is specified, that the value is global .
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.11 CIS GCP Foundation 1.1: 2.11 CIS GCP Foundation 1.2: 2.11 |
Multi-factor authentication findings
The MFA_SCANNER
detector identifies vulnerabilities related to multi-factor
authentication for users.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
MFA not enforced
Category name in the API: |
There are users who aren't using 2-step verification. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets |
Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.
|
CIS GCP Foundation 1.0: 1.2 CIS GCP Foundation 1.1: 1.2 CIS GCP Foundation 1.2: 1.2 PCI-DSS v3.2.1: 8.3 NIST 800-53: IA-2 ISO-27001: A.9.4.2 |
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Default network
Category name in the API: |
Finding description: The default network exists in a project. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.1 CIS GCP Foundation 1.1: 3.1 CIS GCP Foundation 1.2: 3.1 |
DNS logging disabled
Category name in the API: |
Finding description: DNS logging on a VPC network is not enabled. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks all
|
CIS GCP Foundation 1.2: 2.12 |
Legacy network
Category name in the API: |
Finding description: A legacy network exists in a project. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks network metadata for existence of the
|
CIS GCP Foundation 1.0: 3.2 CIS GCP Foundation 1.1: 3.2 CIS GCP Foundation 1.2: 3.2 |
Organization Policy vulnerability findings
Vulnerabilities of this detector type all relate to configurations of
Organization Policy
constraints, and belong to the ORG_POLICY
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Org policy Confidential VM policy
Category name in the API: |
Finding description:
A Compute Engine resource is out of compliance with
the
constraints/compute.restrictNonConfidentialComputing
organization policy. For more information about this org
policy constraint, see
Enforcing organization policy
constraints in Confidential VM.
This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks whether the
|
|
Org policy location restriction
Category name in the API: |
Finding description:
A Compute Engine resource is out of compliance with
the constraints/gcp.resourceLocations
constraint. For more information about this org policy
constraint, see Enforcing
organization policy constraints.
This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets |
Checks the
|
|
Supported assets for ORG_POLICY_LOCATION_RESTRICTION
Compute Engine
GKE
Cloud Storage
Cloud KMS
Dataproc
BigQuery
Dataflow
Cloud SQL
Cloud Composer
Logging
Pub/Sub
Vertex AI
Artifact Registry 1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed. 2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys. 3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data. |
Pub/Sub vulnerability findings
Vulnerabilities of this detector type all relate to Pub/Sub
configurations, and belong to the PUBSUB_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Pubsub CMEK disabled
Category name in the API: |
Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
SQL vulnerability findings
Vulnerabilities of this detector type all relate to Cloud SQL
configurations, and belong to the SQL_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Auto backup disabled
Category name in the API: |
Finding description: A Cloud SQL database doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 6.7 CIS GCP Foundation 1.2: 6.7 NIST 800-53: CP-9 ISO-27001: A.12.3.1 |
Public SQL instance
Category name in the API: |
Finding description: A Cloud SQL database instance accepts connections from all IP addresses. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.2 CIS GCP Foundation 1.1: 6.5 CIS GCP Foundation 1.2: 6.5 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: CA-3, SC-7 ISO-27001: A.8.2.3, A.13.1.3, A.14.1.3 |
SSL not enforced
Category name in the API: |
Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.1 CIS GCP Foundation 1.1: 6.4 CIS GCP Foundation 1.2: 6.4 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.8.2.3, A.13.2.1, A.14.1.3 |
SQL CMEK disabled
Category name in the API: |
Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
SQL contained database authentication
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.3.2 CIS GCP Foundation 1.2: 6.3.7 |
SQL cross DB ownership chaining
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.3.1 CIS GCP Foundation 1.2: 6.3.2 |
SQL external scripts enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.1 |
SQL local infile
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.1.2 CIS GCP Foundation 1.2: 6.1.3 |
SQL log checkpoints disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.1 CIS GCP Foundation 1.2: 6.2.1 |
SQL log connections disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.2 CIS GCP Foundation 1.2: 6.2.3 |
SQL log disconnections disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.3 CIS GCP Foundation 1.2: 6.2.4 |
SQL log duration disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.2.5 |
SQL log error verbosity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.2 |
SQL log lock waits disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.4 CIS GCP Foundation 1.2: 6.2.6 |
SQL log min duration statement enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.7 CIS GCP Foundation 1.2: 6.2.16 |
SQL log min error statement
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 6.2.5 |
SQL log min error statement severity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.2: 6.2.14 |
SQL log min messages
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.2: 6.2.13 |
SQL log executor stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.11 |
SQL log hostname enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.8 |
SQL log parser stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.9 |
SQL log planner stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.10 |
SQL log statement
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.7 |
SQL log statement stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks if the
|
CIS GCP Foundation 1.2: 6.2.12 |
SQL log temp files
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.6 CIS GCP Foundation 1.2: 6.2.15 |
SQL no root password
Category name in the API: |
Finding description: A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.3 CIS GCP Foundation 1.1: 6.1.1 CIS GCP Foundation 1.2: 6.1.1 PCI-DSS v3.2.1: 2.1 NIST 800-53: AC-3 ISO-27001: A.8.2.3, A.9.4.2 |
SQL public IP
Category name in the API: |
Finding description: A Cloud SQL database has a public IP address. Pricing tier: Premium
Supported assets |
Checks whether the IP address type of an
Cloud SQL database is set to
|
CIS GCP Foundation 1.1: 6.6 CIS GCP Foundation 1.2: 6.6 |
SQL remote access enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.5 |
SQL skip show database disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.1.2 |
SQL trace flag 3625
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.6 |
SQL user connections configured
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.3 |
SQL user options configured
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.2: 6.3.4 |
SQL weak root password
Category name in the API: |
Finding description: A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Compares the password for the root account of your Cloud SQL database to a list of common passwords.
|
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Bucket CMEK disabled
Category name in the API: |
Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
Bucket policy only disabled
Category name in the API: |
Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. Pricing tier: Premium
Supported assets |
Checks whether the
|
|
Public bucket ACL
Category name in the API: |
Finding description: A Cloud Storage bucket is publicly accessible. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM allow policy of a bucket for
public roles,
|
CIS GCP Foundation 1.0: 5.1 CIS GCP Foundation 1.1: 5.1 CIS GCP Foundation 1.2: 5.1 PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3 |
Public log bucket
Category name in the API: |
Finding description: A storage bucket used as a log sink is publicly accessible. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM allow policy of a bucket for
the principals
|
PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-9 ISO-27001: A.8.2.3, A.12.4.2, A.18.1.3 |
Subnetwork vulnerability findings
Vulnerabilities of this detector type all relate to an organization's subnetwork
configurations, and belong to theSUBNETWORK_SCANNER
type.
Detector | Summary | Asset scan settings | Compliance standards |
---|---|---|---|
Flow logs disabled
Category name in the API: |
Finding description: There is a VPC subnetwork that has flow logs disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.9 CIS GCP Foundation 1.1: 3.8 CIS GCP Foundation 1.2: 3.8 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1 |
Private Google access disabled
Category name in the API: |
Finding description: There are private subnetworks without access to Google public APIs. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.8 |
Web Security Scanner findings
Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.
Category | Finding description | OWASP 2017 Top 10 | OWASP 2021 Top 10 |
---|---|---|---|
Accessible Git repository
Category name in the API: |
A Git repository is exposed publicly. To resolve this finding, remove
unintentional public access to the GIT repository.
Pricing tier: Standard |
A5 | A01 |
Accessible SVN repository
Category name in the API: |
An SVN repository is exposed publicly. To resolve this finding, remove
public unintentional access to the SVN repository.
Pricing tier: Standard |
A5 | A01 |
Cacheable password input
Category name in the API: |
Passwords entered on the web application can be cached in a regular browser cache instead of
a secure password storage.
Pricing tier: Premium |
A3 | A04 |
Clear text password
Category name in the API: |
Passwords are being transmitted in clear text and can be intercepted. To
resolve this finding, encrypt the password transmitted over the
network.
Pricing tier: Standard |
A3 | A02 |
Insecure allow origin ends with validation
Category name in the API: |
A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header
before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this
finding, validate that the expected root domain is part of the Origin header value before
reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards,
prepend the dot to the root domain—for example, .endsWith(".google.com") .
Pricing tier: Premium |
A5 | A01 |
Insecure allow origin starts with validation
Category name in the API: |
A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header
before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this
finding, validate that the expected domain fully matches the Origin header value before
reflecting it in the Access-Control-Allow-Origin response header—for example,
.equals(".google.com") .
Pricing tier: Premium |
A5 | A01 |
Invalid content type
Category name in the API: |
A resource was loaded that doesn't match the response's Content-Type HTTP
header. To resolve this finding, set X-Content-Type-Options HTTP header
with the correct value.
Pricing tier: Standard |
A6 | A05 |
Invalid header
Category name in the API: |
A security header has a syntax error and is ignored by browsers. To resolve
this finding, set HTTP security headers correctly.
Pricing tier: Standard |
A6 | A05 |
Mismatching security header values
Category name in the API: |
A security header has duplicated, mismatching values, which result in
undefined behavior. To resolve this finding, set HTTP security headers
correctly.
Pricing tier: Standard |
A6 | A05 |
Misspelled security header name
Category name in the API: |
A security header is misspelled and is ignored. To resolve this finding,
set HTTP security headers correctly.
Pricing tier: Standard |
A6 | A05 |
Mixed content
Category name in the API: |
Resources are being served over HTTP on an HTTPS page. To resolve this
finding, make sure that all resources are served over HTTPS.
Pricing tier: Standard |
A6 | A05 |
Outdated library
Category name in the API: |
A library was detected that has known vulnerabilities. To resolve this
finding, upgrade libraries to a newer version.
Pricing tier: Standard |
A9 | A06 |
Server side request forgery
Category name in the API: |
A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an
allowlist to limit the domains and IP addresses that the web application can make requests to.
Pricing tier: Standard |
Not applicable | A10 |
Session ID leak
Category name in the API: |
When making a cross-domain request, the web application includes the user's session identifier
in its Referer request header. This vulnerability gives the receiving domain access
to the session identifier, which can be used to impersonate or uniquely identify the user.
Pricing tier: Premium |
A2 | A07 |
SQL injection
Category name in the API: |
A potential SQL injection vulnerability was detected. To resolve this finding, use
parameterized queries to prevent user inputs from influencing the structure of the SQL query.
Pricing tier: Premium |
A1 | A03 |
Struts insecure deserialization
Category name in the API: |
The use of a vulnerable version of Apache
Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.
Pricing tier: Premium |
A8 | A08 |
XSS
Category name in the API: |
A field in this web application is vulnerable to a cross-site scripting
(XSS) attack. To resolve this finding, validate and escape untrusted
user-supplied data.
Pricing tier: Standard |
A7 | A03 |
XSS angular callback
Category name in the API: |
A user-provided string isn't escaped and AngularJS can interpolate it. To
resolve this finding, validate and escape untrusted user-supplied data
handled by Angular framework.
Pricing tier: Standard |
A7 | A03 |
XSS error
Category name in the API: |
A field in this web application is vulnerable to a cross-site scripting
attack. To resolve this finding, validate and escape untrusted
user-supplied data.
Pricing tier: Standard |
A7 | A03 |
XXE reflected file leakage
Category name in the API: |
An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to
leak a file on the host. To resolve this finding, configure your XML parsers to disallow
external entities.
Pricing tier: Premium |
A4 | A05 |
CIS benchmarks
The Center for Internet Security (CIS) includes the following benchmarks that Web Security Scanner or Security Health Analytics detectors, currently, don't support:
Category | Finding description | CIS GCP Foundation 1.0 | NIST 800-53 | ISO-27001 |
---|---|---|---|---|
Basic authentication enabled
Category name in the API: |
IAM or client certificate authentication should be enabled on Kubernetes Clusters. | 7.10 | ||
Client cert authentication disabled
Category name in the API: |
Kubernetes Clusters should be created with Client Certificate enabled. | 7.12 | ||
Labels not used
Category name in the API: |
Labels can be used to break down billing information. | 7.5 | ||
Public storage object
Category name in the API: |
Storage object ACL should not grant access to **allUsers**. | 5.2 | ||
SQL broad root login
Category name in the API: |
Root access to a SQL database should be limited to allowlisted trusted IPs. | 6.4 |
Rapid Vulnerability Detection findings and remediations
Rapid Vulnerability Detection detects weak credentials, incomplete software installations, and other critical vulnerabilities that have a high likelihood of being exploited. The service automatically discovers network endpoints, protocols, open ports, network services, and installed software packages.
Rapid Vulnerability Detection findings are early warnings of vulnerabilities that we recommend you fix immediately.
For information about how to view the findings, see Reviewing findings in Security Command Center.
Rapid Vulnerability Detection scans identify the following finding types.
Finding type | Finding description | OWASP top 10 codes |
---|---|---|
Weak credential findings | ||
WEAK_CREDENTIALS
|
This detector checks for weak credentials using ncrack brute force
methods. Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM Remediation: Enforce a strong password policy. Create unique credentials for your services and avoid using dictionary words in passwords. |
2021 A07 2017 A2 |
Exposed interface findings | ||
ELASTICSEARCH_API_EXPOSED
|
The
Elasticsearch API lets callers perform arbitrary queries, write and
execute scripts, and add additional documents to the service.
Remediation: Remove direct access to the Elasticsearch API by routing requests through an application, or limit access to authenticated users only. For more information, see Security settings in Elasticsearch. |
2021 A01, A05 2017 A5, A6 |
EXPOSED_GRAFANA_ENDPOINT
|
In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798. Remediation: Patch Grafana or upgrade Grafana to a later version. For more information, see Grafana path traversal. |
2021 A06, A07 2017 A2, A9 |
EXPOSED_METABASE
|
Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277. Remediation: Upgrade to maintenance releases 0.40.5 or later or 1.40.5 or later. For more information, see GeoJSON URL validation can expose server files and environment variables to unauthorized users. |
2021 A06 2017 A3, A9 |
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT
|
This detector checks whether sensitive Actuator endpoints of
Spring Boot applications are exposed. Some of the default endpoints,
like /heapdump , might expose sensitive information. Other
endpoints, like /env , might lead to remote code execution.
Currently, only /heapdump is checked.
Remediation: Disable access to sensitive Actuator endpoints. For more information, see Securing HTTP Endpoints. |
2021 A01, A05 2017 A5, A6 |
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API
|
This detector checks whether the
Hadoop Yarn ResourceManager API, which controls the computation and
storage resources of a Hadoop cluster, is exposed and allows
unauthenticated code execution.
Remediation: Use access control lists with the API. |
2021 A01, A05 2017 A5, A6 |
JAVA_JMX_RMI_EXPOSED
|
The
Java Management Extension (JMX) allows remote monitoring and
diagnostics for Java applications. Running JMX with unprotected Remote
Method Invocation endpoint allows any remote users to create a
javax.management.loading.MLet MBean and use it to create new MBeans from
arbitrary URLs.
Remediation: To properly configure remote monitoring, see Monitoring and Management Using JMX Technology. |
2021 A01, A05 2017 A5, A6 |
JUPYTER_NOTEBOOK_EXPOSED_UI
|
This detector checks whether an unauthenticated
Jupyter Notebook is
exposed. Jupyter allows remote code execution by design on the host machine.
An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote
code execution.
Remediation: Add token authentication to your Jupyter Notebook server, or use more recent versions of Jupyter Notebook that use token authentication by default. |
2021 A01, A05 2017 A5, A6 |
KUBERNETES_API_EXPOSED
|
The
Kubernetes API is exposed, and can be accessed by unauthenticated
callers. This allows arbitrary code execution on the Kubernetes cluster.
Remediation: Require authentication for all API requests. For more information, see the Kubernetes API Authenticating guide. |
2021 A01, A05 2017 A5, A6 |
UNFINISHED_WORDPRESS_INSTALLATION
|
This detector checks whether a WordPress installation is unfinished. An
unfinished WordPress installation exposes the
/wp-admin/install.php page, which allows attacker to set the
admin password and, possibly, compromise the system.
Remediation: Complete the WordPress installation. |
2021 A05 2017 A6 |
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE
|
This detector checks for an unauthenticated
Jenkins instance by
sending a probe ping to the /view/all/newJob endpoint as an
anonymous visitor. An authenticated Jenkins instance shows the
createItem form, which allows the creation of
arbitrary jobs that could lead to remote code execution.
Remediation: Follow Jenkins' guide on managing security to block unauthenticated access. |
2021 A01, A05 2017 A5, A6 |
Vulnerable software findings | ||
APACHE_HTTPD_RCE
|
A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see: Remediation: Protect files outside of the document root by configuring the "require all denied" directive in the Apache HTTP Server. |
2021 A01, A06 2017 A5, A9 |
APACHE_HTTPD_SSRF
|
Attackers can craft a URI to the Apache web server that causes
Remediation: Upgrade the Apache HTTP server to a later version. |
2021 A06, A10 2017 A9 |
CONSUL_RCE
|
Attackers can execute arbitrary code on a Consul server because the Consul instance is
configured with
After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using
the Remediation: Set enable-script-checks to |
2021 A05, A06 2017 A6, A9 |
DRUID_RCE
|
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail. Remediation: Upgrade Apache Druid to later version. |
2021 A05, A06 2017 A6, A9 |
DRUPAL_RCE
This category includes two vulnerabilities in Drupal. Multiple findings of this type c |