Security Health Analytics and Web Security Scanner detectors generate vulnerabilities findings that are available in Security Command Center. Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.
Detectors and compliance
This section describes the mapping between supported detectors and the best effort mapping to relevant compliance standards.
CIS Benchmarks
Security Command Center supports two versions of the CIS Benchmarks for Google Cloud Platform Foundation:
- CIS Google Cloud Computing Foundations Benchmark v1.1.0 (CIS Google Cloud Foundation 1.1)
- CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0)
The CIS Google Cloud Foundation 1.1 and 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment with CIS Google Cloud Computing Foundations Benchmark v1.1.0 and v1.0.0, respectively.
While both CIS 1.1 and CIS 1.0 are supported, we recommend that you use or transition to CIS 1.1, if possible. CIS 1.1 expands coverage to additional Google Cloud services and refines instructions and guidance for complex benchmarks.
Additional standards
Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.
This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.
For instructions on viewing and exporting compliance reports, see the Compliance section in Using the Security Command Center dashboard.
Security Health Analytics
Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.
Security Health Analytics scans run in three modes:
Batch scan: All detectors are scheduled to run for all enrolled organizations two or more times a day. Detectors run on different schedules to meet specific service level objectives (SLO). To meet 12- and 24-hour SLOs, detectors run batch scans every six hours or 12 hours, respectively. Resource and policy changes that occur in between batch scans are not immediately captured and are applied in the next batch scan. Note: Batch scan schedules are performance objectives, not service guarantees.
Real-time scan: Supported detectors start scans whenever CAI reports a change in an asset's configuration. Findings are immediately written to Security Command Center.
Mixed-mode: Some detectors that support real-time scans might not detect changes in real time in all supported assets. In those cases, configuration changes for some assets are captured immediately and others are captured in batch scans. Exceptions are noted in the tables on this page.
The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by detector name and finding type using the Security Command Center Vulnerabilities tab in the Google Cloud Console.
For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.
API key vulnerability findings
The API_KEY_SCANNER detector identifies vulnerabilities related to
API keys used in your cloud deployment.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
API_KEY_APIS_UNRESTRICTED
|
Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 1.12 CIS GCP Foundation 1.1: 1.14 |
API_KEY_APPS_UNRESTRICTED
|
Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 1.11 CIS GCP Foundation 1.1: 1.13 |
API_KEY_EXISTS
|
Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium
Supported assets |
Retrieves all API keys owned by a project.
|
CIS GCP Foundation 1.0: 1.10 CIS GCP Foundation 1.1: 1.12 |
API_KEY_NOT_ROTATED
|
Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets |
Retrieves the timestamp contained in the
|
CIS GCP Foundation 1.0: 1.13 CIS GCP Foundation 1.1: 1.15 |
Compute image vulnerability findings
The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to
Google Cloud image configurations.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
PUBLIC_COMPUTE_IMAGE
|
Finding description: A Compute Engine image is publicly accessible. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM policy in resource
metadata for public members,
|
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to
Compute Engine instance configurations.
COMPUTE_INSTANCE_SCANNER detectors don't report findings on
Compute Engine instances created by GKE. Such instances have names that
start with "gke-", which users cannot edit. To secure these instances, refer to the
Container vulnerability findings section.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED
|
Finding description: Project-wide SSH keys are used, allowing login to all instances in the project. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.2 CIS GCP Foundation 1.1: 4.3 |
COMPUTE_SECURE_BOOT_DISABLED
|
Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. Pricing tier: Premium Supported assets |
Checks the
|
|
COMPUTE_SERIAL_PORTS_ENABLED
|
Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.4 CIS GCP Foundation 1.1: 4.5 |
DEFAULT_SERVICE_ACCOUNT_USED
|
Finding description: An instance is configured to use the default service account. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 4.1 |
DISK_CMEK_DISABLED
|
Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
DISK_CSEK_DISABLED
|
Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.6 CIS GCP Foundation 1.1: 4.7 |
FULL_API_ACCESS
|
Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs. Pricing tier: Premium
Supported assets |
Retrieves the
|
CIS GCP Foundation 1.0: 4.1 CIS GCP Foundation 1.1: 4.2 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
HTTP_LOAD_BALANCER
|
Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. Pricing tier: Premium
Supported assets |
Determines if the
|
PCI-DSS v3.2.1: 2.3 |
IP_FORWARDING_ENABLED
|
Finding description: IP forwarding is enabled on instances. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 4.5 CIS GCP Foundation 1.1: 4.6 |
OS_LOGIN_DISABLED
|
Finding description: OS Login is disabled on this instance. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 4.3 CIS GCP Foundation 1.1: 4.4 |
PUBLIC_IP_ADDRESS
|
Finding description: An instance has a public IP address. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 4.9 PCI-DSS v3.2.1: 1.2.1, 1.3.5 NIST 800-53: CA-3, SC-7 |
SHIELDED_VM_DISABLED
|
Finding description: Shielded VM is disabled on this instance. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 4.8 |
WEAK_SSL_POLICY
|
Finding description: An instance has a weak SSL policy. Pricing tier: Premium
Supported assets |
Checks whether
|
PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.14.1.3 |
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
AUTO_REPAIR_DISABLED
|
Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.7 PCI-DSS v3.2.1: 2.2 |
AUTO_UPGRADE_DISABLED
|
Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.8 PCI-DSS v3.2.1: 2.2 |
CLUSTER_LOGGING_DISABLED
|
Finding description: Logging isn't enabled for a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 10.2.2, 10.2.7 |
CLUSTER_MONITORING_DISABLED
|
Finding description: Monitoring is disabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.2 PCI-DSS v3.2.1: 10.1, 10.2 |
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED
|
Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3 |
COS_NOT_USED
|
Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.9 PCI-DSS v3.2.1: 2.2 |
IP_ALIAS_DISABLED
|
Finding description: A GKE cluster was created with alias IP ranges disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3.4, 1.3.7 |
LEGACY_AUTHORIZATION_ENABLED
|
Finding description: Legacy Authorization is enabled on GKE clusters. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.3 PCI-DSS v3.2.1: 4.1 |
LEGACY_METADATA_ENABLED
|
Finding description: Legacy metadata is enabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
|
MASTER_AUTHORIZED_NETWORKS_DISABLED
|
Finding description: Control Plane Authorized Networks is not enabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.4 PCI-DSS v3.2.1: 1.2.1, 1.3.2 |
NETWORK_POLICY_DISABLED
|
Finding description: Network policy is disabled on GKE clusters. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
NODEPOOL_BOOT_CMEK_DISABLED
|
Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
OVER_PRIVILEGED_ACCOUNT
|
Finding description: A service account has overly broad project access in a cluster. Pricing tier: Premium
Supported assets |
Evaluates the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 2.1, 7.1.2 NIST 800-53: AC-6, SC-7 ISO-27001: A.9.2.3 |
OVER_PRIVILEGED_SCOPES
|
Finding description: A node service account has broad access scopes. Pricing tier: Premium
Supported assets |
Checks whether the access scope listed in the
config.oauthScopes property of a node pool is
a limited service account access scope:
https://www.googleapis.com/auth/devstorage.read_only,
https://www.googleapis.com/auth/logging.write,
or
https://www.googleapis.com/auth/monitoring.
|
CIS GCP Foundation 1.0: 7.1 |
POD_SECURITY_POLICY_DISABLED
|
Finding description: PodSecurityPolicy is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.1 |
PRIVATE_CLUSTER_DISABLED
|
Finding description: A GKE cluster has a Private cluster disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 7.1 PCI-DSS v3.2.1: 1.3.2 |
WEB_UI_ENABLED
|
Finding description: The GKE web UI (dashboard) is enabled. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 7.6 PCI-DSS v3.2.1: 6.6 |
WORKLOAD_IDENTITY_DISABLED
|
Finding description: Workload Identity is disabled on a GKE cluster. Pricing tier: Premium
Supported assets |
Checks whether the
|
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
DATASET_CMEK_DISABLED
|
Finding description: A BigQuery dataset is not configured to use a default customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
|---|---|---|---|
PUBLIC_DATASET
|
Finding description: A dataset is configured to be open to public access. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for public members,
|
PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3 |
DNS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud DNS configurations,
and belong to the DNS_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
DNSSEC_DISABLED
|
Finding description: DNSSEC is disabled for Cloud DNS zones. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.3 CIS GCP Foundation 1.1: 3.3 ISO-27001: A.8.2.3 |
RSASHA1_FOR_SIGNING
|
Finding description: RSASHA1 is used for key signing in Cloud DNS zones. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.4, 3.5 CIS GCP Foundation 1.1: 3.4, 3.5 |
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
EGRESS_DENY_RULE_NOT_SET
|
Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 7.2 |
FIREWALL_RULE_LOGGING_DISABLED
|
Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1 |
OPEN_CASSANDRA_PORT
|
Finding description: A firewall is configured to have an open CASSANDRA port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_CISCOSECURE_WEBSM_PORT
|
Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_DIRECTORY_SERVICES_PORT
|
Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_DNS_PORT
|
Finding description: A firewall is configured to have an open DNS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_ELASTICSEARCH_PORT
|
Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_FIREWALL
|
Finding description: A firewall is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets |
Checks the
| PCI-DSS v3.2.1: 1.2.1 |
OPEN_FTP_PORT
|
Finding description: A firewall is configured to have an open FTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_HTTP_PORT
|
Finding description: A firewall is configured to have an open HTTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_LDAP_PORT
|
Finding description: A firewall is configured to have an open LDAP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_MEMCACHED_PORT
|
Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_MONGODB_PORT
|
Finding description: A firewall is configured to have an open MONGODB port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_MYSQL_PORT
|
Finding description: A firewall is configured to have an open MYSQL port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_NETBIOS_PORT
|
Finding description: A firewall is configured to have an open NETBIOS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_ORACLEDB_PORT
|
Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_POP3_PORT
|
Finding description: A firewall is configured to have an open POP3 port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_POSTGRESQL_PORT
|
Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access. Pricing tier: Premium
Supported assets |
Checks the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_RDP_PORT
|
Finding description: A firewall is configured to have an open RDP port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks the
|
CIS GCP Foundation 1.0: 3.7 CIS GCP Foundation 1.1: 3.7 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_REDIS_PORT
|
Finding description: A firewall is configured to have an open REDIS port that allows generic access. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_SMTP_PORT
|
Finding description: A firewall is configured to have an open SMTP port that allows generic access. Pricing tier: Premium
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_SSH_PORT
|
Finding description: A firewall is configured to have an open SSH port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.6 CIS GCP Foundation 1.1: 3.6 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
OPEN_TELNET_PORT
|
Finding description: A firewall is configured to have an open TELNET port that allows generic access. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
PCI-DSS v3.2.1: 1.2.1 NIST 800-53: SC-7 ISO-27001: A.13.1.1 |
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Identity and Access Management (IAM)
configuration, and belong to the IAM_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
ADMIN_SERVICE_ACCOUNT
|
Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for any user-created service accounts (indicated
by the prefix iam.gserviceaccount.com),
that are assigned
|
CIS GCP Foundation 1.0: 1.4 CIS GCP Foundation 1.1: 1.5 |
KMS_ROLE_SEPARATION
|
Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. Pricing tier: Premium
Supported assets |
Checks IAM policies in resource metadata
and retrieves members assigned any of the following
roles at the same time:
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter, and
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer,
roles/cloudkms.signerVerifier,
roles/cloudkms.publicKeyViewer.
|
CIS GCP Foundation 1.0: 1.9 CIS GCP Foundation 1.1: 1.11 NIST 800-53: AC-5 ISO-27001: A.9.2.3, A.10.1.2 |
NON_ORG_IAM_MEMBER
|
Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. Pricing tier: Premium or Standard
Supported assets |
Compares @gmail.com email addresses in the
|
CIS GCP Foundation 1.0: 1.1 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-3 ISO-27001: A.9.2.3 |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
|
Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for any members assigned
roles/iam.serviceAccountUser or
roles/iam.serviceAccountTokenCreator at the
project level.
|
CIS GCP Foundation 1.0: 1.5 PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
PRIMITIVE_ROLES_USED
|
Finding description: A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for any members assigned
|
PCI-DSS v3.2.1: 7.1.2 NIST 800-53: AC-6 ISO-27001: A.9.2.3 |
REDIS_ROLE_USED_ON_ORG
|
Finding description: A Redis IAM role is assigned at the organization or folder level. Pricing tier: Premium
Supported assets
|
Checks the IAM policy in resource
metadata for members assigned
|
PCI-DSS v3.2.1: 7.1.2 ISO-27001: A.9.2.3 |
SERVICE_ACCOUNT_ROLE_SEPARATION
|
Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for any members assigned both
roles/iam.serviceAccountUser and
roles/iam.serviceAccountAdmin.
|
CIS GCP Foundation 1.0: 1.7 NIST 800-53: AC-5 ISO-27001: A.9.2.3 |
SERVICE_ACCOUNT_KEY_NOT_ROTATED
|
Finding description: A service account key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets |
Evaluates the key creation timestamp captured in the
|
CIS GCP Foundation 1.0: 1.6 |
USER_MANAGED_SERVICE_ACCOUNT_KEY
|
Finding description: A user manages a service account key. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 1.3 |
KMS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud KMS
configurations, and belong to the KMS_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
KMS_KEY_NOT_ROTATED
|
Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. Pricing tier: Premium
Supported assets |
Checks resource metadata for the existence of
|
CIS GCP Foundation 1.0: 1.8 PCI-DSS v3.2.1: 3.5 NIST 800-53: SC-12 ISO-27001: A.10.1.2 |
KMS_PROJECT_HAS_OWNER
|
Finding description: A user has Owner permissions on a project that has cryptographic keys. Pricing tier: Premium
Supported assets |
Checks the IAM policy in project
metadata for members assigned
|
PCI-DSS v3.2.1: 3.5 NIST 800-53: AC-6, SC-12 ISO-27001: A.9.2.3, A.10.1.2 |
KMS_PUBLIC_KEY
|
Finding description: A Cloud KMS cryptographic key is publicly accessible. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for public members,
|
CIS GCP Foundation 1.1: 1.9 |
TOO_MANY_KMS_USERS
|
Finding description: There are more than three users of cryptographic keys. Pricing tier: Premium
Supported assets |
Checks IAM policies for key rings,
projects, and organizations, and retrieves members with
roles that allow them to encrypt, decrypt or sign data using
Cloud KMS keys: roles/owner,
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter,
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer, and
roles/cloudkms.signerVerifier.
|
PCI-DSS v3.2.1: 3.5.2 ISO-27001: A.9.2.3 |
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER detector type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
AUDIT_LOGGING_DISABLED
|
Finding description: Audit logging has been disabled for this resource. Pricing tier: Premium
Supported assets |
Checks the IAM policy in resource
metadata for the existence of an
|
CIS GCP Foundation 1.0: 2.1 CIS GCP Foundation 1.1: 2.1 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: AC-2, AU-2 ISO-27001: A.12.4.1, A.16.1.7 |
BUCKET_LOGGING_DISABLED
|
Finding description: There is a storage bucket without logging enabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 5.3 |
LOCKED_RETENTION_POLICY_NOT_SET
|
Finding description: A locked retention policy is not set for logs. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3 |
LOG_NOT_EXPORTED
|
Finding description: There is a resource that doesn't have an appropriate log sink configured. Pricing tier: Premium
Supported assets
|
Retrieves a
|
CIS GCP Foundation 1.0: 2.2 CIS GCP Foundation 1.1: 2.2 ISO-27001: A.18.1.3 |
OBJECT_VERSIONING_DISABLED
|
Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 2.3 PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-11 ISO-27001: A.12.4.2, A.18.1.3 |
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER type. All Monitoring detector finding
properties include:
-
The
RecommendedLogFilterto use in creating the log metrics. -
The
QualifiedLogMetricNamesthat cover the conditions listed in the recommended log filter. -
The
AlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
AUDIT_CONFIG_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName=\"SetIamPolicy\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*,
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.5 CIS GCP Foundation 1.1: 2.5 |
BUCKET_IAM_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gcs_bucket AND
protoPayload.methodName=\"storage.setIamPermissions\".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.10 CIS GCP Foundation 1.1: 2.10 |
CUSTOM_ROLE_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=\"iam_role\" AND
protoPayload.methodName=\"google.iam.admin.v1.CreateRole\"
OR
protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"
OR
protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.6 CIS GCP Foundation 1.1: 2.6 |
FIREWALL_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor VPC Network Firewall rule changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=\"gce_firewall_rule\" AND
protoPayload.methodName=\"compute.firewalls.patch\" OR
protoPayload.methodName=\"compute.firewalls.insert\".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.7 CIS GCP Foundation 1.1: 2.7 |
NETWORK_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor VPC network changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gce_network AND
protoPayload.methodName=\"compute.networks.insert\" OR
protoPayload.methodName=\"compute.networks.patch\" OR
protoPayload.methodName=\"compute.networks.delete\" OR
protoPayload.methodName=\"compute.networks.removePeering\"
OR
protoPayload.methodName=\"compute.networks.addPeering\".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.9 CIS GCP Foundation 1.1: 2.9 |
OWNER_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\")
AND (ProjectOwnership OR projectOwnerInvitee) OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")
OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\"),
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.4 CIS GCP Foundation 1.1: 2.4 |
ROUTE_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=\"gce_route\" AND
protoPayload.methodName=\"compute.routes.delete\" OR
protoPayload.methodName=\"compute.routes.insert\".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.8 CIS GCP Foundation 1.1: 2.8 |
SQL_INSTANCE_NOT_MONITORED
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. Pricing tier: Premium
Supported assets |
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName=\"cloudsql.instances.update\",
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
CIS GCP Foundation 1.0: 2.11 CIS GCP Foundation 1.1: 2.11 |
Multi-factor authentication findings
The MFA_SCANNER detector identifies vulnerabilities related to multi-factor
authentication for users.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
MFA_NOT_ENFORCED
|
There are users who aren't using 2-step verification. Pricing tier: Premium or Standard
Supported assets |
Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.
|
CIS GCP Foundation 1.0: 1.2 CIS GCP Foundation 1.1: 1.2 PCI-DSS v3.2.1: 8.3 NIST 800-53: IA-2 ISO-27001: A.9.4.2 |
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNERtype.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
DEFAULT_NETWORK
|
Finding description: The default network exists in a project. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.1 CIS GCP Foundation 1.1: 3.1 |
LEGACY_NETWORK
|
Finding description: A legacy network exists in a project. Pricing tier: Premium
Supported assets |
Checks network metadata for existence of the
|
CIS GCP Foundation 1.0: 3.2 CIS GCP Foundation 1.1: 3.2 |
Organization Policy vulnerability findings
Vulnerabilities of this detector type all relate to configurations of
Organization Policy
constraints, and belong to the ORG_POLICY type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
ORG_POLICY_CONFIDENTIAL_VM_POLICY
|
Finding description:
A Compute Engine resource is out of compliance with
the
constraints/compute.restrictNonConfidentialComputing
organization policy. For more information about this org
policy constraint, see
Enforcing organization policy
constraints in Confidential VM.
Pricing tier: Premium
Supported assets |
Checks whether the
|
|
ORG_POLICY_LOCATION_RESTRICTION
|
Finding description:
A Compute Engine resource is out of compliance with
the constraints/gcp.resourceLocations
constraint. For more information about this org policy
constraint, see Enforcing
organization policy constraints.
Pricing tier: Premium
Supported assets |
Checks the
|
|
Supported assets for ORG_POLICY_LOCATION_RESTRICTION
Compute Engine
Cloud Storage
Cloud KMS
Dataproc
BigQuery
Dataflow
Cloud SQL
Cloud Composer
Logging
Pub/Sub
Vertex AI
Artifact Registry 1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed. 2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys. 3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data. |
|||
Pub/Sub vulnerability findings
Vulnerabilities of this detector type all relate to Pub/Sub
configurations, and belong to the PUBSUB_SCANNER type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
PUBSUB_CMEK_DISABLED
|
Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
SQL vulnerability findings
Vulnerabilities of this detector type all relate to Cloud SQL
configurations, and belong to the SQL_SCANNER type.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
AUTO_BACKUP_DISABLED
|
Finding description: A Cloud SQL database doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 6.7 NIST 800-53: CP-9 ISO-27001: A.12.3.1 |
PUBLIC_SQL_INSTANCE
|
Finding description: A Cloud SQL database instance accepts connections from all IP addresses. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.2 CIS GCP Foundation 1.1: 6.5 PCI-DSS v3.2.1: 1.2.1 NIST 800-53: CA-3, SC-7 ISO-27001: A.8.2.3, A.13.1.3, A.14.1.3 |
SSL_NOT_ENFORCED
|
Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium or Standard
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.1 CIS GCP Foundation 1.1: 6.4 PCI-DSS v3.2.1: 4.1 NIST 800-53: SC-7 ISO-27001: A.8.2.3, A.13.2.1, A.14.1.3 |
SQL_CMEK_DISABLED
|
Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
SQL_CONTAINED_DATABASE_AUTHENTICATION
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.3.2 |
SQL_CROSS_DB_OWNERSHIP_CHAINING
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.3.1 |
SQL_LOCAL_INFILE
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.1.2 |
SQL_LOG_CHECKPOINTS_DISABLED
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.1 |
SQL_LOG_CONNECTIONS_DISABLED
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.2 |
SQL_LOG_DISCONNECTIONS_DISABLED
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.3 |
SQL_LOG_LOCK_WAITS_DISABLED
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.4 |
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.7 |
SQL_LOG_MIN_ERROR_STATEMENT
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.1: 6.2.5 |
SQL_LOG_TEMP_FILES
|
Finding description:
The Pricing tier: Premium
Supported assets |
Checks the
|
CIS GCP Foundation 1.1: 6.2.6 |
SQL_NO_ROOT_PASSWORD
|
Finding description: A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 6.3 CIS GCP Foundation 1.1: 6.1.1 PCI-DSS v3.2.1: 2.1 NIST 800-53: AC-3 ISO-27001: A.8.2.3, A.9.4.2 |
SQL_PUBLIC_IP
|
Finding description: A Cloud SQL database has a public IP address. Pricing tier: Premium
Supported assets |
Checks whether the IP address type of an
Cloud SQL database is set to
|
CIS GCP Foundation 1.1: 6.6 |
SQL_WEAK_ROOT_PASSWORD
|
Finding description: A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Compares the password for the root account of your Cloud SQL database to a list of common passwords.
|
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNERtype.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
BUCKET_CMEK_DISABLED
|
Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets |
Checks the
|
|
BUCKET_POLICY_ONLY_DISABLED
|
Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. Pricing tier: Premium
Supported assets |
Checks whether the
|
|
PUBLIC_BUCKET_ACL
|
Finding description: A Cloud Storage bucket is publicly accessible. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM policy of a bucket for
public roles,
|
CIS GCP Foundation 1.0: 5.1 CIS GCP Foundation 1.1: 5.1 PCI-DSS v3.2.1: 7.1 NIST 800-53: AC-2 ISO-27001: A.8.2.3, A.14.1.3 |
PUBLIC_LOG_BUCKET
|
Finding description: A storage bucket used as a log sink is publicly accessible. Pricing tier: Premium or Standard
Supported assets |
Checks the IAM policy of a bucket for
public members,
|
PCI-DSS v3.2.1: 10.5 NIST 800-53: AU-9 ISO-27001: A.8.2.3, A.12.4.2, A.18.1.3 |
Subnetwork vulnerability findings
Vulnerabilities of this detector type all relate to an organization's subnetwork
configurations, and belong to theSUBNETWORK_SCANNERtype.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
FLOW_LOGS_DISABLED
|
Finding description: There is a VPC subnetwork that has flow logs disabled. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.9 CIS GCP Foundation 1.1: 3.8 PCI-DSS v3.2.1: 10.1, 10.2 NIST 800-53: SI-4 ISO-27001: A.13.1.1 |
PRIVATE_GOOGLE_ACCESS_DISABLED
|
Finding description: There are private subnetworks without access to Google public APIs. Pricing tier: Premium
Supported assets |
Checks whether the
|
CIS GCP Foundation 1.0: 3.8 |
VM Manager
VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.
If you enable VM Manager and are subscribed to Security Command Center Premium, VM Manager writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in operating systems installed on VMs, including Common Vulnerabilities and Exposures (CVEs).
Vulnerability reports are not available for Security Command Center Standard.
Findings simplify the process of using VM Manager's Patch Compliance feature, which is in preview. The feature lets you conduct patch management at the organization level across all of your projects. Currently, VM Manager supports patch management at the single project level.
VM Manager findings
Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
OS_VULNERABILITY
|
Finding description: VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM. Pricing tier: Premium
Supported assets |
VM Manager's vulnerability reports detail vulnerabilities in installed operating system packages for Compute Engine VMs, including Common Vulnerabilities and Exposures (CVEs).
Findings appear in Security Command Center shortly after vulnerabilities are detected. Vulnerability reports in VM Manager are generated as follows: |
Remediating VM Manager findings
An OS_VULNERABILITY finding indicates that VM Manager found a
vulnerability in the installed operating system packages in a Compute Engine
VM.
To remediate this finding, do the following:
Go to the Findings page in Security Command Center.
Next to View by, select Source type.
In the Source type list, select VM Manager.
The table populates with findings for the source type you selected.
Under category, click the name of a finding.
In the Finding details panel, select Source properties.
To learn more about the vulnerability, note the following fields:
properties: contains a description of the vulnerability and mitigation optionsseverity: the risk level assigned to the findingvulnerability: contains a link to a public CVE repository with more details on the vulnerabilityreferences: contains additional information links, including to industry sourcesid: the CVE ID, for example,CVE-2021-33200; you can use the ID to filter findings and find other VMs impacted by this CVE
To create a patch job for the OS in the Cloud Console, click the link in
external_uri.For instructions on deploying patches, see OS patch management.
Learn about this finding type's supported assets and scan settings.
Disabling VM Manager vulnerability reports
To stop vulnerability reports from being written to Security Command Center, you can disable the OS Config service API for your projects.
Go to OS Config API page in the Cloud Console.
If necessary, select your project.
Click Disable API, and then in the dialog, click Disable.
Web Security Scanner findings
Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.
| Category | Finding description | CIS GCP Foundation 1.0 | PCI-DSS v3.2.1 | OWASP Top 10 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|---|---|
ACCESSIBLE_GIT_REPOSITORY |
A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository. | A3 | ||||
ACCESSIBLE_SVN_REPOSITORY |
An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository. | A3 | ||||
CLEAR_TEXT_PASSWORD |
Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network. | A3 | ||||
INVALID_CONTENT_TYPE |
A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set `X-Content-Type-Options` HTTP header with the correct value. | A6 | ||||
INVALID_HEADER |
A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly. | A6 | ||||
MISMATCHING_SECURITY_HEADER_VALUES |
A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly. | A6 | ||||
MISSPELLED_SECURITY_HEADER_NAME |
A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly. | A6 | ||||
MIXED_CONTENT |
Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS. | A6 | ||||
OUTDATED_LIBRARY |
A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version. | A9 | ||||
XSS |
A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data. | A7 | ||||
XSS_ANGULAR_CALLBACK |
A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework. | A7 | ||||
XSS_ERROR |
A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data. | A7 |
CIS benchmarks
The Center for Internet Security (CIS) includes the following benchmarks that Web Security Scanner or Security Health Analytics detectors, currently, don't support:
| Category | Finding description | CIS GCP Foundation 1.0 | NIST 800-53 | ISO-27001 |
|---|---|---|---|---|
BASIC_AUTHENTICATION_ENABLED |
IAM or client certificate authentication should be enabled on Kubernetes Clusters. | 7.10 | ||
CLIENT_CERT_AUTHENTICATION_DISABLED |
Kubernetes Clusters should be created with Client Certificate enabled. | 7.12 | ||
LABELS_NOT_USED |
Labels can be used to break down billing information. | 7.5 | ||
PUBLIC_STORAGE_OBJECT |
Storage object ACL should not grant access to **allUsers**. | 5.2 | ||
SQL_BROAD_ROOT_LOGIN |
Root access to a SQL database should be limited to allow-listed trusted IPs. | 6.4 |
What's next
- Learn how to use Security Health Analytics and how to use Web Security Scanner.
- Read suggestions for remediating Security Health Analytics findings and remediating Web Security Scanner findings.