Rapid Vulnerability Detection, Security Health Analytics, and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.
Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.
Detectors and compliance
Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.
For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.
CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.
Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.
With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.
For more information about managing compliance, see Assess and report compliance with security standards.
Security standards supported on Google Cloud
Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:
- Center for Information Security (CIS) Controls 8.0
- CIS Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
- CIS Kubernetes Benchmark v1.5.1
- Cloud Controls Matrix (CCM) 4
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO) 27001, 2022 and 2013
- National Institute of Standards and Technology (NIST) 800-53 R5 and R4
- NIST CSF 1.0
- Open Web Application Security Project (OWASP) Top Ten, 2021 and 2017
- Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
- System and Organization Controls (SOC) 2 2017 Trusted Services Criteria (TSC)
Security standards supported on AWS
Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:
- CIS Amazon Web Services Foundations 2.0.0
- CIS Controls 8.0
- CCM 4
- HIPAA
- ISO 27001 2022
- NIST 800-53 R5
- NIST CSF 1.0
- PCI DSS 4.0 and 3.2.1
- SOC 2 2017 TSC
For instructions on viewing and exporting compliance reports, see the Compliance section in Using Security Command Center in the Google Cloud console.
Finding deactivation after remediation
After you remediate a vulnerability or misconfiguration finding, the
Security Command Center service that detected the finding automatically sets
the state of the finding to INACTIVE the next time the detection service
scans for the finding. How long Security Command Center takes to set a
remediated finding to INACTIVE depends on the schedule of the scan that
detects the finding.
The Security Command Center services also set the state of a vulnerability
or misconfiguration finding to INACTIVE when a scan detects that the
resource that is affected by the finding is deleted.
For more information about scan intervals, see the following topics:
- Security Health Analytics scan types
- Rapid Vulnerability Detection scan latency and interval
- Web Security Scanner scan types
Security Health Analytics findings
Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.
For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.
The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes by using the Security Command Center Vulnerabilities page in the Google Cloud console.
For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.
API key vulnerability findings
The API_KEY_SCANNER detector identifies vulnerabilities related to
API keys used in your cloud deployment.
| Detector | Summary | Asset scan settings |
|---|---|---|
API key APIs unrestricted
Category name in the API: |
Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
API key apps unrestricted
Category name in the API: |
Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
API key exists
Category name in the API: |
Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves all API keys owned by a project.
|
API key not rotated
Category name in the API: |
Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the timestamp contained in the
|
Cloud Asset Inventory vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Asset Inventory
configurations and belong to the CLOUD_ASSET_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Cloud Asset API disabled
Category name in the API: |
Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the Cloud Asset Inventory service is enabled.
|
Compute image vulnerability findings
The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to
Google Cloud image configurations.
| Detector | Summary | Asset scan settings |
|---|---|---|
Public Compute image
Category name in the API: |
Finding description: A Compute Engine image is publicly accessible. Pricing tier: Premium or Standard
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the IAM allow policy in resource
metadata for the principals
|
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to
Compute Engine instance configurations.
COMPUTE_INSTANCE_SCANNER detectors don't report findings on
Compute Engine instances created by GKE. Such instances have names that
start with "gke-", which users cannot edit. To secure these instances, refer to the
Container vulnerability findings section.
| Detector | Summary | Asset scan settings |
|---|---|---|
Confidential Computing disabled
Category name in the API: |
Finding description: Confidential Computing is disabled on a Compute Engine instance. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Compute project wide SSH keys allowed
Category name in the API: |
Finding description: Project-wide SSH keys are used, allowing login to all instances in the project. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Compute Secure Boot disabled
Category name in the API: |
Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. Pricing tier: Premium Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
Compute serial ports enabled
Category name in the API: |
Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Default service account used
Category name in the API: |
Finding description: An instance is configured to use the default service account. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Disk CMEK disabled
Category name in the API: |
Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
Disk CSEK disabled
Category name in the API: |
Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Full API access
Category name in the API: |
Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
HTTP load balancer
Category name in the API: |
Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Determines if the
|
IP forwarding enabled
Category name in the API: |
Finding description: IP forwarding is enabled on instances. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
OS login disabled
Category name in the API: |
Finding description: OS Login is disabled on this instance. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Public IP address
Category name in the API: |
Finding description: An instance has a public IP address. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
Shielded VM disabled
Category name in the API: |
Finding description: Shielded VM is disabled on this instance. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Weak SSL policy
Category name in the API: |
Finding description: An instance has a weak SSL policy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether
|
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Alpha cluster enabled
Category name in the API: |
Finding description: Alpha cluster features are enabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Auto repair disabled
Category name in the API: |
Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Auto upgrade disabled
Category name in the API: |
Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Binary authorization disabled
Category name in the API: |
Finding description: Binary Authorization is either disabled on the GKE cluster or the Binary Authorization policy is configured to allow all images to be deployed. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the following:
|
Cluster logging disabled
Category name in the API: |
Finding description: Logging isn't enabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Cluster monitoring disabled
Category name in the API: |
Finding description: Monitoring is disabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Cluster private Google access disabled
Category name in the API: |
Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Cluster secrets encryption disabled
Category name in the API: |
Finding description: Application-layer secrets encryption is disabled on a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Cluster shielded nodes disabled
Category name in the API: |
Finding description: Shielded GKE nodes are not enabled for a cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
COS not used
Category name in the API: |
Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Integrity monitoring disabled
Category name in the API: |
Finding description: Integrity monitoring is disabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Intranode visibility disabled
Category name in the API: |
Finding description: Intranode visibility is disabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
IP alias disabled
Category name in the API: |
Finding description: A GKE cluster was created with alias IP ranges disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Legacy authorization enabled
Category name in the API: |
Finding description: Legacy Authorization is enabled on GKE clusters. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
Legacy metadata enabled
Category name in the API: |
Finding description: Legacy metadata is enabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Master authorized networks disabled
Category name in the API: |
Finding description: Control Plane Authorized Networks is not enabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Network policy disabled
Category name in the API: |
Finding description: Network policy is disabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Nodepool boot CMEK disabled
Category name in the API: |
Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
Nodepool secure boot disabled
Category name in the API: |
Finding description: Secure Boot is disabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Over privileged account
Category name in the API: |
Finding description: A service account has overly broad project access in a cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Evaluates the
|
Over privileged scopes
Category name in the API: |
Finding description: A node service account has broad access scopes. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the access scope listed in the
config.oauthScopes property of a node pool is
a limited service account access scope:
https://www.googleapis.com/auth/devstorage.read_only,
https://www.googleapis.com/auth/logging.write,
or
https://www.googleapis.com/auth/monitoring.
|
Pod security policy disabled
Category name in the API: |
Finding description: PodSecurityPolicy is disabled on a GKE cluster. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Private cluster disabled
Category name in the API: |
Finding description: A GKE cluster has a Private cluster disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Release channel disabled
Category name in the API: |
Finding description: A GKE cluster is not subscribed to a release channel. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Web UI enabled
Category name in the API: |
Finding description: The GKE web UI (dashboard) is enabled. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
Workload Identity disabled
Category name in the API: |
Finding description: Workload Identity is disabled on a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Dataproc vulnerability findings
Vulnerabilities of this detector type all relate to Dataproc and belong to the
DATAPROC_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Dataproc CMEK disabled
Category name in the API: |
Finding description: A Dataproc cluster was created without an encryption configuration CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Dataproc image outdated
Category name in the API: |
Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). Pricing tier: Premium or Standard
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks whether the
|
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
BigQuery table CMEK disabled
Category name in the API: |
Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Dataset CMEK disabled
Category name in the API: |
Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Public dataset
Category name in the API: |
Finding description: A dataset is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for the principals
|
DNS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud DNS configurations,
and belong to the DNS_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
DNSSEC disabled
Category name in the API: |
Finding description: DNSSEC is disabled for Cloud DNS zones. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
RSASHA1 for signing
Category name in the API: |
Finding description: RSASHA1 is used for key signing in Cloud DNS zones. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Egress deny rule not set
Category name in the API: |
Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Firewall rule logging disabled
Category name in the API: |
Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open Cassandra port
Category name in the API: |
Finding description: A firewall is configured to have an open Cassandra port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open ciscosecure websm port
Category name in the API: |
Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
Open directory services port
Category name in the API: |
Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
Open DNS port
Category name in the API: |
Finding description: A firewall is configured to have an open DNS port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open elasticsearch port
Category name in the API: |
Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open firewall
Category name in the API: |
Finding description: A firewall is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
Open FTP port
Category name in the API: |
Finding description: A firewall is configured to have an open FTP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open HTTP port
Category name in the API: |
Finding description: A firewall is configured to have an open HTTP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open LDAP port
Category name in the API: |
Finding description: A firewall is configured to have an open LDAP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open Memcached port
Category name in the API: |
Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open MongoDB port
Category name in the API: |
Finding description: A firewall is configured to have an open MONGODB port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open MySQL port
Category name in the API: |
Finding description: A firewall is configured to have an open MYSQL port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open NetBIOS port
Category name in the API: |
Finding description: A firewall is configured to have an open NETBIOS port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open OracleDB port
Category name in the API: |
Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open pop3 port
Category name in the API: |
Finding description: A firewall is configured to have an open POP3 port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open PostgreSQL port
Category name in the API: |
Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
Open RDP port
Category name in the API: |
Finding description: A firewall is configured to have an open RDP port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
Open Redis port
Category name in the API: |
Finding description: A firewall is configured to have an open REDIS port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Open SMTP port
Category name in the API: |
Finding description: A firewall is configured to have an open SMTP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Open SSH port
Category name in the API: |
Finding description: A firewall is configured to have an open SSH port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
Open Telnet port
Category name in the API: |
Finding description: A firewall is configured to have an open TELNET port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Identity and Access Management (IAM)
configuration, and belong to the IAM_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Access Transparency disabled
Category name in the API: |
Finding description: Google Cloud Access Transparency is disabled for your organization. Access Transparency logs when Google Cloud employees access the projects in your organization to provide support. Enable Access Transparency to log who from Google Cloud is accessing your information, when, and why. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if your organization has Access Transparency enabled.
|
Admin service account
Category name in the API: |
Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any user-created service accounts (indicated
by the prefix iam.gserviceaccount.com),
that are assigned
|
Essential Contacts Not Configured
Category name in the API: |
Finding description: Your organization has not designated a person or group to receive notifications from Google Cloud about important events such as attacks, vulnerabilities, and data incidents within your Google Cloud organization. We recommend that you designate as an Essential Contact one or more persons or groups in your business organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks that a contact is specified for the following essential contact categories:
|
KMS role separation
Category name in the API: |
Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks IAM allow policies in resource metadata
and retrieves principals assigned any of the following
roles at the same time:
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter, and
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer,
roles/cloudkms.signerVerifier,
roles/cloudkms.publicKeyViewer.
|
Non org IAM member
Category name in the API: |
Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Compares @gmail.com email addresses in the
|
Open group IAM member
Category name in the API: |
Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal. Pricing tier: Premium or Standard
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the IAM
policy in resource
metadata for any bindings
containing a member (principal) that's prefixed with group. If the
group is an open group, Security Health Analytics generates this finding.
|
Over privileged service account user
Category name in the API: |
Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any principals assigned
roles/iam.serviceAccountUser or
roles/iam.serviceAccountTokenCreator at the
project level.
|
Primitive roles used
Category name in the API: |
Finding description: A user has one of the following basic roles:
These roles are too permissive and shouldn't be used. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any principals that are assigned a
|
Redis role used on org
Category name in the API: |
Finding description: A Redis IAM role is assigned at the organization or folder level. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets
Compliance standards:
|
Checks the IAM allow policy in resource
metadata for principals assigned
|
Service account role separation
Category name in the API: |
Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any principals assigned both
roles/iam.serviceAccountUser and
roles/iam.serviceAccountAdmin.
|
Service account key not rotated
Category name in the API: |
Finding description: A service account key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Evaluates the key creation timestamp captured in the
|
User managed service account key
Category name in the API: |
Finding description: A user manages a service account key. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
KMS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud KMS
configurations, and belong to the KMS_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
KMS key not rotated
Category name in the API: |
Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks resource metadata for the existence of
|
KMS project has owner
Category name in the API: |
Finding description: A user has Owner permissions on a project that has cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in project
metadata for principals assigned
|
KMS public key
Category name in the API: |
Finding description: A Cloud KMS cryptographic key is publicly accessible. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for the principals
|
Too many KMS users
Category name in the API: |
Finding description: There are more than three users of cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks IAM allow policies for key rings,
projects, and organizations, and retrieves principals with
roles that allow them to encrypt, decrypt or sign data using
Cloud KMS keys: roles/owner,
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter,
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer, and
roles/cloudkms.signerVerifier.
|
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Audit logging disabled
Category name in the API: |
Finding description: Audit logging has been disabled for this resource. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for the existence of an
|
Bucket logging disabled
Category name in the API: |
Finding description: There is a storage bucket without logging enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Locked retention policy not set
Category name in the API: |
Finding description: A locked retention policy is not set for logs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Log not exported
Category name in the API: |
Finding description: There is a resource that doesn't have an appropriate log sink configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets
Compliance standards:
|
Retrieves a
|
Object versioning disabled
Category name in the API: |
Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER type. All Monitoring detector finding
properties include:
-
The
RecommendedLogFilterto use in creating the log metrics. -
The
QualifiedLogMetricNamesthat cover the conditions listed in the recommended log filter. -
The
AlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
| Detector | Summary | Asset scan settings |
|---|---|---|
Audit config not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*,
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Bucket IAM not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gcs_bucket AND
protoPayload.methodName="storage.setIamPermissions".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Custom role not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="iam_role" AND
(protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Firewall not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.delete").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Network not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor VPC network changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Owner not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee) OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"),
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Route not monitored
Category name in the API: |
Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
SQL instance not monitored
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="cloudsql.instances.update"
OR protoPayload.methodName="cloudsql.instances.create"
OR protoPayload.methodName="cloudsql.instances.delete",
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Multi-factor authentication findings
The MFA_SCANNER detector identifies vulnerabilities related to multi-factor
authentication for users.
| Detector | Summary | Asset scan settings |
|---|---|---|
MFA not enforced
Category name in the API: |
There are users who aren't using 2-Step Verification. Google Workspace lets you specify an enrollment grace period for new users during which they must enroll in 2-Step Verification. This detector does create findings for users during the enrollment grace period. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.
|
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
Default network
Category name in the API: |
Finding description: The default network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
DNS logging disabled
Category name in the API: |
Finding description: DNS logging on a VPC network is not enabled. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks all
|
Legacy network
Category name in the API: |
Finding description: A legacy network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks network metadata for existence of the
|
Load balancer logging disabled
Category name in the API: |
Finding description: Logging is disabled for the load balancer. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Organization Policy vulnerability findings
Vulnerabilities of this detector type all relate to configurations of
Organization Policy
constraints, and belong to the ORG_POLICY type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Org policy Confidential VM policy
Category name in the API: |
Finding description:
A Compute Engine resource is out of compliance with
the
constraints/compute.restrictNonConfidentialComputing
organization policy. For more information about this org
policy constraint, see
Enforcing organization policy
constraints in Confidential VM.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks whether the
|
Org policy location restriction
Category name in the API: |
Finding description:
A Compute Engine resource is out of compliance with
the constraints/gcp.resourceLocations
constraint. For more information about this org policy
constraint, see Enforcing
organization policy constraints.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Supported assets for ORG_POLICY_LOCATION_RESTRICTION
Compute Engine
GKE
Cloud Storage
Cloud KMS
Dataproc
BigQuery
Dataflow
Cloud SQL
Cloud Composer
Logging
Pub/Sub
Vertex AI
Artifact Registry 1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed. 2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys. 3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data. |
||
Pub/Sub vulnerability findings
Vulnerabilities of this detector type all relate to Pub/Sub
configurations, and belong to the PUBSUB_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
Pubsub CMEK disabled
Category name in the API: |
Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
SQL vulnerability findings
Vulnerabilities of this detector type all relate to Cloud SQL
configurations, and belong to the SQL_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
AlloyDB auto backup disabled
Category name in the API: |
Finding description: An AlloyDB for PostgreSQL cluster doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
AlloyDB log min error statement severity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, issues a finding if the
|
AlloyDB log min messages
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, issues a finding if the
|
AlloyDB log error verbosity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, issues a finding if the
|
Auto backup disabled
Category name in the API: |
Finding description: A Cloud SQL database doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Public SQL instance
Category name in the API: |
Finding description: A Cloud SQL database instance accepts connections from all IP addresses. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
SSL not enforced
Category name in the API: |
Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
SQL CMEK disabled
Category name in the API: |
Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
SQL contained database authentication
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL cross DB ownership chaining
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL external scripts enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL local infile
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log checkpoints disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log connections disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log disconnections disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log duration disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log error verbosity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log lock waits disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log min duration statement enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL log min error statement
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
SQL log min error statement severity
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
SQL log min messages
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, issues a finding if the
|
SQL log executor stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log hostname enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log parser stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log planner stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log statement
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log statement stats enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
SQL log temp files
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL no root password
Category name in the API: |
Finding description: A Cloud SQL database that has a public IP address doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
SQL public IP
Category name in the API: |
Finding description: A Cloud SQL database has a public IP address. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the IP address type of an
Cloud SQL database is set to
|
SQL remote access enabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL skip show database disabled
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL trace flag 3625
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL user connections configured
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL user options configured
Category name in the API: |
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
SQL weak root password
Category name in the API: |
Finding description: A Cloud SQL database that has a public IP address also has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Compares the password for the root account of your Cloud SQL database to a list of common passwords.
|
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
Bucket CMEK disabled
Category name in the API: |
Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
Bucket policy only disabled
Category name in the API: |
Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Public bucket ACL
Category name in the API: |
Finding description: A Cloud Storage bucket is publicly accessible. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the IAM allow policy of a bucket for
public roles,
|
Public log bucket
Category name in the API: |
Finding description: A storage bucket used as a log sink is publicly accessible. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the IAM allow policy of a bucket for
the principals
|
Subnetwork vulnerability findings
Vulnerabilities of this detector type all relate to an organization's subnetwork
configurations, and belong to theSUBNETWORK_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
Flow logs disabled
Category name in the API: |
Finding description: There is a VPC subnetwork that has flow logs disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Flow logs settings not recommended
Category name in the API: |
Finding description: For a VPC subnetwork, VPC Flow Logs is either off or is not configured according to CIS Benchmark 1.3 recommendations. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Private Google access disabled
Category name in the API: |
Finding description: There are private subnetworks without access to Google public APIs. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
AWS findings
| Detector | Summary | Asset scan settings |
|---|---|---|
AWS Cloud Shell Full Access Restricted
Category name in the API:
|
Finding description: AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers. Pricing tier: Enterprise Compliance standards:
|
Ensure access to AWSCloudShellFullAccess is restricted
|
Access Keys Rotated Every 90 Days or Less
Category name in the API:
|
Finding description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. Pricing tier: Enterprise Compliance standards:
|
Ensure access keys are rotated every 90 days or less
|
All Expired Ssl Tls Certificates Stored Aws Iam Removed
Category name in the API:
|
Finding description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. Pricing tier: Enterprise Compliance standards:
|
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
|
Autoscaling Group Elb Healthcheck Required
Category name in the API:
|
Finding description: This checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups. Pricing tier: Enterprise Compliance standards:
|
Checks that all autoscaling groups assoc with a load balancer use healthchecks
|
Auto Minor Version Upgrade Feature Enabled Rds Instances
Category name in the API:
|
Finding description: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. Pricing tier: Enterprise Compliance standards:
|
Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
|
Aws Config Enabled All Regions
Category name in the API:
|
Finding description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. Pricing tier: Enterprise Compliance standards:
|
Ensure AWS Config is enabled in all regions
|
Aws Security Hub Enabled
Category name in the API:
|
Finding description: Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. Pricing tier: Enterprise Compliance standards:
|
Ensure AWS Security Hub is enabled
|
Cloudtrail Logs Encrypted Rest Using Kms Cmks
Category name in the API:
|
Finding description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. Pricing tier: Enterprise Compliance standards:
|
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
|
Cloudtrail Log File Validation Enabled
Category name in the API:
|
Finding description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. Pricing tier: Enterprise Compliance standards:
|
Ensure CloudTrail log file validation is enabled
|
Cloudtrail Trails Integrated Cloudwatch Logs
Category name in the API:
|
Finding description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution. Pricing tier: Enterprise Compliance standards:
|
Ensure CloudTrail trails are integrated with CloudWatch Logs
|
Cloudwatch Alarm Action Check
Category name in the API:
|
Finding description: This checks whether Amazon Cloudwatch has actions defined when an alarm transitions between the states 'OK', 'ALARM' and 'INSUFFICIENT_DATA'. Configuring actions for the ALARM state in Amazon CloudWatch alarms is very important to trigger an immediate response when monitored metrics breach thresholds. It ensures quick problem resolution, reduces downtime and enables automated remediation, maintaining system health and preventing outages. Alarms have at least one action. Alarms have at least one action when the alarm transitions to the 'INSUFFICIENT_DATA' state from any other state. (Optional) Alarms have at least one action when the alarm transitions to an 'OK' state from any other state. Pricing tier: Enterprise Compliance standards:
|
Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.
|
Cloudwatch Log Group Encrypted
Category name in the API:
|
Finding description: This check ensures CloudWatch logs are configured with KMS. Log group data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption for the log data at rest. As an alternative, you can use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS key. Encryption using AWS KMS is enabled at the log group level, by associating a KMS key with a log group, either when you create the log group or after it exists. Pricing tier: Enterprise Compliance standards:
|
Checks that all log groups in Amazon CloudWatch Logs are encrypted with KMS
|
CloudTrail CloudWatch Logs Enabled
Category name in the API:
|
Finding description: This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the CloudWatchLogsLogGroupArn property of the trail is empty. CloudTrail records AWS API calls that are made in a given account. The recorded information includes the following: - The identity of the API caller - The time of the API call - The source IP address of the API caller - The request parameters - The response elements returned by the AWS service CloudTrail uses Amazon S3 for log file storage and delivery. You can capture CloudTrail logs in a specified S3 bucket for long-term analysis. To perform real-time analysis, you can configure CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all of those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your AWS services. This recommendation does not preclude the use of a different solution. Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity. Pricing tier: Enterprise Compliance standards:
|
Checks that all CloudTrail trails are configured to send logs to AWS CloudWatch
|
No AWS Credentials in CodeBuild Project Environment Variables
Category name in the API:
|
Finding description: This checks whether the project contains the environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. Authentication credentials `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access. Pricing tier: Enterprise Compliance standards:
|
Checks that all projects containing env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not in plaintext
|
Codebuild Project Source Repo Url Check
Category name in the API:
|
Finding description: This checks whether an AWS CodeBuild project Bitbucket source repository URL contains personal access tokens or a user name and password. The control fails if the Bitbucket source repository URL contains personal access tokens or a user name and password. Sign-in credentials shouldn't be stored or transmitted in clear text or appear in the source repository URL. Instead of personal access tokens or sign-in credentials, you should access your source provider in CodeBuild, and change your source repository URL to contain only the path to the Bitbucket repository location. Using personal access tokens or sign-in credentials could result in unintended data exposure or unauthorized access. Pricing tier: Enterprise Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks that all projects using github or bitbucket as the source use oauth
|
Credentials Unused 45 Days Greater Disabled
Category name in the API:
|
Finding description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. Pricing tier: Enterprise Compliance standards:
|
Ensure credentials unused for 45 days or greater are disabled
|
Default Security Group Vpc Restricts All Traffic
Category name in the API:
|
Finding description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. **NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups. Pricing tier: Enterprise Compliance standards:
|
Ensure the default security group of every VPC restricts all traffic
|
Dms Replication Not Public
Category name in the API:
|
Finding description: Checks whether AWS DMS replication instances are public. To do this, it examines the value of the `PubliclyAccessible` field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see [Public and private replication instances](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html#CHAP_ReplicationInstance.PublicPrivate) in the AWS Database Migration Service User Guide. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources. Pricing tier: Enterprise Compliance standards:
|
Checks whether AWS Database Migration Service replication instances are public
|
Do Setup Access Keys During Initial User Setup All Iam Users Console
Category name in the API:
|
Finding description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user. Pricing tier: Enterprise Compliance standards:
|
Do not setup access keys during initial user setup for all IAM users that have a console password
|
Dynamodb Autoscaling Enabled
Category name in the API:
|
Finding description: This checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications. DynamoDB tables in on-demand capacity mode are only limited by the DynamoDB throughput default table quotas. To raise these quotas, you can file a support ticket through AWS Support. DynamoDB tables in provisioned mode with auto scaling adjust the provisioned throughput capacity dynamically in response to traffic patterns. For additional information on DynamoDB request throttling, see Request throttling and burst capacity in the Amazon DynamoDB Developer Guide. Pricing tier: Enterprise Compliance standards:
|
DynamoDB tables should automatically scale capacity with demand
|
Dynamodb In Backup Plan
Category name in the API:
|
Finding description: This control evaluates whether a DynamoDB table is covered by a backup plan. The control fails if a DynamoDB table isn't covered by a backup plan. This control only evaluates DynamoDB tables that are in the ACTIVE state. Backups help you recover more quickly from a security incident. They also strengthen the resilience of your systems. Including DynamoDB tables in a backup plan helps you protect your data from unintended loss or deletion. Pricing tier: Enterprise Compliance standards:
|
DynamoDB tables should be covered by a backup plan
|
Dynamodb Pitr Enabled
Category name in the API:
|
Finding description: Point In Time Recovery (PITR) is one of the mechanisms available to backup DynamoDB tables. A point in time backup is kept for 35 days. In case your requirement is for longer retention, please see [Set up scheduled backups for Amazon DynamoDB using AWS Backup](https://aws.amazon.com/blogs/database/set-up-scheduled-backups-for-amazon-dynamodb-using-aws-backup/) in the AWS Documentation. Pricing tier: Enterprise Compliance standards:
|
Checks that point in time recovery (PITR) is enabled for all AWS DynamoDB tables
|
Dynamodb Table Encrypted Kms
Category name in the API:
|
Finding description: Checks whether all DynamoDB tables are encrypted with a customer managed KMS key (non-default). Pricing tier: Enterprise Compliance standards:
|
Checks that all DynamoDB tables are encrypted with AWS Key Management Service (KMS)
|
Ebs Optimized Instance
Category name in the API:
|
Finding description: Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized Pricing tier: Enterprise Compliance standards:
|
Checks that EBS optimization is enabled for all instances that support EBS optimization
|
Ebs Snapshot Public Restorable Check
Category name in the API:
|
Finding description: Checks whether Amazon Elastic Block Store snapshots are not public. The control fails if Amazon EBS snapshots are restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional. Pricing tier: Enterprise Compliance standards:
|
Amazon EBS snapshots should not be publicly restorable
|
Ebs Volume Encryption Enabled All Regions
Category name in the API:
|
Finding description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. Pricing tier: Enterprise Compliance standards:
|
Ensure EBS Volume Encryption is Enabled in all Regions
|
Ec2 Instances In Vpc
Category name in the API:
|
Finding description: Amazon VPC provides more security functionality than EC2 Classic. It is recommended that all nodes belong to an Amazon VPC. Pricing tier: Enterprise Compliance standards:
|
Ensures that all instances belong to a VPC
|
Ec2 Instance No Public Ip
Category name in the API:
|
Finding description: EC2 instances that have a public IP address are at an increased risk of compromise. It is recommended that EC2 instances not be configured with a public IP address. Pricing tier: Enterprise Compliance standards:
|
Ensures no instances have a public IP
|
Ec2 Managedinstance Association Compliance Status Check
Category name in the API:
|
Finding description: A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. EC2 instances that have an association with AWS Systems Manager are under management of Systems Manager which makes it easier to apply patches, fix misconfigurations, and respond to security events. Pricing tier: Enterprise Compliance standards:
|
Checks the compliance status AWS systems manager association
|
Ec2 Managedinstance Patch Compliance Status Check
Category name in the API:
|
Finding description: This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control fails if the association compliance status is NON_COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you. You can view the compliance status in the console or in response to AWS CLI commands or corresponding Systems Manager API actions. For associations, Configuration Compliance shows the compliance status (Compliant or Non-compliant). It also shows the severity level assigned to the association, such as Critical or Medium. To learn more about State Manager association compliance, see [About State Manager association compliance](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-compliance-about.html#sysman-compliance-about-association) in the AWS Systems Manager User Guide. Pricing tier: Enterprise Compliance standards:
|
Checks the status of AWS Systems Manager patch compliance
|
Ec2 Metadata Service Allows Imdsv2
Category name in the API:
|
Finding description: When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). Pricing tier: Enterprise Compliance standards:
|
Ensure that EC2 Metadata Service only allows IMDSv2
|
Ec2 Volume Inuse Check
Category name in the API:
|
Finding description: Identifying and removing unattached (unused) Elastic Block Store (EBS) volumes in your AWS account in order to lower the cost of your monthly AWS bill. Deleting unused EBS volumes also reduces the risk of confidential/sensitive data leaving your premise. Additionally, this control also checks whether EC2 instances archived configured to delete volumes on termination. By default, EC2 instances are configured to delete the data in any EBS volumes associated with the instance, and to delete the root EBS volume of the instance. However, any non-root EBS volumes attached to the instance, at launch or during execution, get persisted after termination by default. Pricing tier: Enterprise Compliance standards:
|
Checks whether EBS volumes are attached to EC2 instances and configured for deletion on instance termination
|
Efs Encrypted Check
Category name in the API:
|
Finding description: Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. This checks that all EFS file systems are configured with encryption-at-rest across all enabled regions in the account. Pricing tier: Enterprise Compliance standards:
|
Checks whether EFS is configured to encrypt file data using KMS
|
Efs In Backup Plan
Category name in the API:
|
Finding description: Amazon best practices recommend configuring backups for your Elastic File Systems (EFS). This checks all EFS across every enabled region in your AWS account for enabled backups. Pricing tier: Enterprise Compliance standards:
|
Checks whether EFS filesystems are included in AWS Backup plans
|
Elb Acm Certificate Required
Category name in the API:
|
Finding description: Checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM. To create a certificate, you can use either ACM or a tool that supports the SSL and TLS protocols, such as OpenSSL. Security Hub recommends that you use ACM to create or import certificates for your load balancer. ACM integrates with Classic Load Balancers so that you can deploy the certificate on your load balancer. You also should automatically renew these certificates. Pricing tier: Enterprise Compliance standards:
|
Checks that all Classic Load Balancers use SSL certificates provided by AWS Certificate Manager
|
Elb Deletion Protection Enabled
Category name in the API:
|
Finding description: Checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion. Pricing tier: Enterprise Compliance standards:
|
Application Load Balancer deletion protection should be enabled
|
Elb Logging Enabled
Category name in the API:
|
Finding description: This checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues. To learn more, see [Access logs for your Classic Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html) in User Guide for Classic Load Balancers. Pricing tier: Enterprise Compliance standards:
|
Checks whether classic and application load balancers have logging enabled
|
Elb Tls Https Listeners Only
Category name in the API:
|
Finding description: This check ensures all Classic Load Balancers are configured to use secure communication. A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections and a protocol and a port for back-end (load balancer to instance) connections. For information about the ports, protocols, and listener configurations supported by Elastic Load Balancing, see [Listeners for your Classic Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-listener-config.html). Pricing tier: Enterprise Compliance standards:
|
Checks that all Classic Load Balancer are configured with SSL or HTTPS listeners
|
Encrypted Volumes
Category name in the API:
|
Finding description: Checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses KMS keys when creating encrypted volumes and snapshots. To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances. Pricing tier: Enterprise Compliance standards:
|
Attached Amazon EBS volumes should be encrypted at-rest
|
Encryption At Rest Enabled Rds Instances
Category name in the API:
|
Finding description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. Pricing tier: Enterprise Compliance standards:
|
Ensure that encryption-at-rest is enabled for RDS Instances
|
Encryption Enabled Efs File Systems
Category name in the API:
|
Finding description: EFS data should be encrypted at rest using AWS KMS (Key Management Service). Pricing tier: Enterprise Compliance standards:
|
Ensure that encryption is enabled for EFS file systems
|
Iam Password Policy
Category name in the API:
|
Finding description: AWS allows for custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy. AWS security best practices recommends the following password complexity requirements: - Require at least one uppercase character in password. - Require at least one lowercase character in passwords. - Require at least one symbol in passwords. - Require at least one number in passwords. - Require a minimum password length of at least 14 characters. - Require at least 24 passwords before allowing reuse. - Require at least 90 before password expiration This controls checks all of the specified password policy requirements. Pricing tier: Enterprise Compliance standards:
|
Checks whether the account password policy for IAM users meets the specified requirements
|
Iam Password Policy Prevents Password Reuse
Category name in the API:
|
Finding description: IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM password policy prevents password reuse
|
Iam Password Policy Requires Minimum Length 14 Greater
Category name in the API:
|
Finding description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM password policy requires minimum length of 14 or greater
|
Iam Policies Allow Full Administrative Privileges Attached
Category name in the API:
|
Finding description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
|
Iam Users Receive Permissions Groups
Category name in the API:
|
Finding description: IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy. Only the third implementation is recommended. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM Users Receive Permissions Only Through Groups
|
Iam User Group Membership Check
Category name in the API:
|
Finding description: IAM users should always be part of an IAM group in order to adhere to IAM security best practices. By adding users to a group, it is possible to share policies among types of users. Pricing tier: Enterprise Compliance standards:
|
Checks whether IAM users are members of at least one IAM group
|
Iam User Mfa Enabled
Category name in the API:
|
Finding description: Multi-factor authentication (MFA) is a best practice that adds an extra layer of protection on top of user names and passwords. With MFA, when a user signs in to the AWS Management Console, they are required to provide a time-sensitive authentication code, provided by a registered virtual or physical device. Pricing tier: Enterprise Compliance standards:
|
Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled
|
Iam User Unused Credentials Check
Category name in the API:
|
Finding description: This checks for any IAM passwords or active access keys that have not been used in the last 90 days. Best practices recommends that you remove, deactivate or rotate all credentials unused for 90 days or more. This reduces the window of opportunity for credentials associated to a compromised or abandoned account to be used. Pricing tier: Enterprise Compliance standards:
|
Checks that all AWS IAM users have passwords or active access keys that have not been used in maxCredentialUsageAge days (default 90)
|
Kms Cmk Not Scheduled For Deletion
Category name in the API:
|
Finding description: This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion. KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure. When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted. For additional information regarding deleting KMS keys, see [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the AWS Key Management Service Developer Guide. Pricing tier: Enterprise Compliance standards:
|
Checks that all CMKs are not scheduled for deletion
|
Lambda Concurrency Check
Category name in the API:
|
Finding description: Checks if the Lambda function is configured with a function-level concurrent execution limit. The rule is NON_COMPLIANT if the Lambda function is not configured with a function-level concurrent execution limit. Pricing tier: Enterprise Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks whether Lambda functions are configured with function-level concurrent execution limit
|
Lambda Dlq Check
Category name in the API:
|
Finding description: Checks if a Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue. Pricing tier: Enterprise Compliance standards:
|
Checks whether Lambda functions are configured with a dead letter queue
|
Lambda Function Public Access Prohibited
Category name in the API:
|
Finding description: AWS best practices recommend that Lambda function should not be publicly exposed. This policy checks all Lambda functions deployed across all enabled regions within your account and will fail if they are configured ot allow public access. Pricing tier: Enterprise Compliance standards:
|
Checks whether the policy attached to the Lambda function prohibits public access
|
Lambda Inside Vpc
Category name in the API:
|
Finding description: Checks whether a Lambda function is in a VPC. You might see failed findings for Lambda@Edge resources. It does not evaluate the VPC subnet routing configuration to determine public reachability. Pricing tier: Enterprise Compliance standards:
|
Checks whether the Lambda functions exists within a VPC
|
Mfa Delete Enabled S3 Buckets
Category name in the API:
|
Finding description: Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. Pricing tier: Enterprise Compliance standards:
|
Ensure MFA Delete is enabled on S3 buckets
|
Mfa Enabled Root User Account
Category name in the API:
|
Finding description: The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. **Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company. Pricing tier: Enterprise Compliance standards:
|
Ensure MFA is enabled for the 'root' user account
|
Multi Factor Authentication Mfa Enabled All Iam Users Console
Category name in the API:
|
Finding description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. Pricing tier: Enterprise Compliance standards:
|
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
|
No Network Acls Allow Ingress 0 0 0 0 Remote Server Administration
Category name in the API:
|
Finding description: The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TDP (6), UDP (17) or ALL (-1) protocols Pricing tier: Enterprise Compliance standards:
|
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
|
No Root User Account Access Key Exists
Category name in the API:
|
Finding description: The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted. Pricing tier: Enterprise Compliance standards:
|
Ensure no 'root' user account access key exists
|
No Security Groups Allow Ingress 0 0 0 0 Remote Server Administration
Category name in the API:
|
Finding description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TDP (6), UDP (17) or ALL (-1) protocols Pricing tier: Enterprise Compliance standards:
|
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
|
No Security Groups Allow Ingress 0 Remote Server Administration
Category name in the API:
|
Finding description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`. Pricing tier: Enterprise Compliance standards:
|
Ensure no security groups allow ingress from ::/0 to remote server administration ports
|
One Active Access Key Available Any Single Iam User
Category name in the API:
|
Finding description: Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) Pricing tier: Enterprise Compliance standards:
|
Ensure there is only one active access key available for any single IAM user
|
Public Access Given Rds Instance
Category name in the API:
|
Finding description: Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. Pricing tier: Enterprise Compliance standards:
|
Ensure that public access is not given to RDS Instance
|
Rds Enhanced Monitoring Enabled
Category name in the API:
|
Finding description: Enhanced monitoring provides real-time metrics on the operating system that the RDS instance runs on, via an agent installed in the instance. For more details, see [Monitoring OS metrics with Enhanced Monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html). Pricing tier: Enterprise Compliance standards:
|
Checks whether enhanced monitoring is enabled for all RDS DB instances
|
Rds Instance Deletion Protection Enabled
Category name in the API:
|
Finding description: Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled. Pricing tier: Enterprise Compliance standards:
|
Checks if all RDS instances have deletion protection enabled
|
Rds In Backup Plan
Category name in the API:
|
Finding description: This check evaluates if Amazon RDS DB instances are covered by a backup plan. This control fails if an RDS DB instance isn't covered by a backup plan. AWS Backup is a fully managed backup service that centralizes and automates the backing up of data across AWS services. With AWS Backup, you can create backup policies called backup plans. You can use these plans to define your backup requirements, such as how frequently to back up your data and how long to retain those backups. Including RDS DB instances in a backup plan helps you protect your data from unintended loss or deletion. Pricing tier: Enterprise Compliance standards:
|
RDS DB instances should be covered by a backup plan
|
Rds Logging Enabled
Category name in the API:
|
Finding description: This checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch. RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues. Pricing tier: Enterprise Compliance standards:
|
Checks if exported logs are enabled for all RDS DB instances
|
Rds Multi Az Support
Category name in the API:
|
Finding description: RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance. Pricing tier: Enterprise Compliance standards:
|
Checks whether high availability is enabled for all RDS DB instances
|
Redshift Cluster Configuration Check
Category name in the API:
|
Finding description: This checks for essential elements of a Redshift cluster: encryption at rest, logging and node type. These configuration items are important in the maintenance of a secure and observable Redshift cluster. Pricing tier: Enterprise Compliance standards:
|
Checks that all Redshift clusters have encryption at rest, logging and node type.
|
Redshift Cluster Maintenancesettings Check
Category name in the API:
|
Finding description: Automatic major version upgrades happen according to the maintenance window Pricing tier: Enterprise Compliance standards:
|
Checks that all Redshift clusters have allowVersionUpgrade enabled and preferredMaintenanceWindow and automatedSnapshotRetentionPeriod set
|
Redshift Cluster Public Access Check
Category name in the API:
|
Finding description: The PubliclyAccessible attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with PubliclyAccessible set to true, it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with PubliclyAccessible set to true. Pricing tier: Enterprise Compliance standards:
|
Checks whether Redshift clusters are publicly accessible
|
Restricted Common Ports
Category name in the API:
|
Finding description: This checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control fails if any of the rules in a security group allow ingress traffic from '0.0.0.0/0' or '::/0' for those ports. Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports: - 20, 21 (FTP) - 22 (SSH) - 23 (Telnet) - 25 (SMTP) - 110 (POP3) - 135 (RPC) - 143 (IMAP) - 445 (CIFS) - 1433, 1434 (MSSQL) - 3000 (Go, Node.js, and Ruby web development frameworks) - 3306 (mySQL) - 3389 (RDP) - 4333 (ahsp) - 5000 (Python web development frameworks) - 5432 (postgresql) - 5500 (fcp-addr-srvr1) - 5601 (OpenSearch Dashboards) - 8080 (proxy) - 8088 (legacy HTTP port) - 8888 (alternative HTTP port) - 9200 or 9300 (OpenSearch) Pricing tier: Enterprise Compliance standards:
|
Security groups should not allow unrestricted access to ports with high risk
|
Restricted Ssh
Category name in the API:
|
Finding description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. CIS recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. Pricing tier: Enterprise Compliance standards:
|
Security groups should not allow ingress from 0.0.0.0/0 to port 22
|
Rotation Customer Created Cmks Enabled
Category name in the API:
|
Finding description: Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON_COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission. Pricing tier: Enterprise Compliance standards: This finding category is not mapped to any compliance standard controls. |
Ensure rotation for customer created CMKs is enabled
|
Rotation Customer Created Symmetric Cmks Enabled
Category name in the API:
|
Finding description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK. Pricing tier: Enterprise Compliance standards:
|
Ensure rotation for customer created symmetric CMKs is enabled
|
Routing Tables Vpc Peering Are Least Access
Category name in the API:
|
Finding description: Checks if route tables for VPC peering are configure with the principal of least privileged. Pricing tier: Enterprise Compliance standards: This finding category is not mapped to any compliance standard controls. |
Ensure routing tables for VPC peering are "least access"
|
S3 Account Level Public Access Blocks
Category name in the API:
|
Finding description: Amazon S3 Block Public Access provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects do not allow public access. Pricing tier: Enterprise Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks if the required S3 public access block settings are configured from account level
|
S3 Bucket Logging Enabled
Category name in the API:
|
Finding description: AWS S3 Server Access Logging feature records access requests to storage buckets which is useful for security audits. By default, server access logging is not enabled for S3 buckets. Pricing tier: Enterprise Compliance standards:
|
Checks if logging is enabled on all S3 buckets
|
S3 Bucket Policy Set Deny Http Requests
Category name in the API:
|
Finding description: At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. Pricing tier: Enterprise Compliance standards:
|
Ensure S3 Bucket Policy is set to deny HTTP requests
|
S3 Bucket Replication Enabled
Category name in the API:
|
Finding description: This control checks whether an Amazon S3 bucket has Cross-Region Replication enabled. The control fails if the bucket doesn't have Cross-Region Replication enabled or if Same-Region Replication is also enabled. Replication is the automatic, asynchronous copying of objects across buckets in the same or different AWS Regions. Replication copies newly created objects and object updates from a source bucket to a destination bucket or buckets. AWS best practices recommend replication for source and destination buckets that are owned by the same AWS account. In addition to availability, you should consider other systems hardening settings. Pricing tier: Enterprise Compliance standards:
|
Checks whether S3 buckets have cross-region replication enabled
|
S3 Bucket Server Side Encryption Enabled
Category name in the API:
|
Finding description: This checks that your S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. Pricing tier: Enterprise Compliance standards:
|
Ensure all S3 buckets employ encryption-at-rest
|
S3 Bucket Versioning Enabled
Category name in the API:
|
Finding description: Amazon S3 is a means of keeping multiple variants of an object in the same bucket and can help you to recover more easily from both unintended user actions and application failures. Pricing tier: Enterprise Compliance standards:
|
Checks that versioning is enabled for all S3 buckets
|
S3 Default Encryption Kms
Category name in the API:
|
Finding description: Checks whether the Amazon S3 buckets are encrypted with AWS Key Management Service (AWS KMS) Pricing tier: Enterprise Compliance standards:
|
Checks that all buckets are encrypted with KMS
|
Sagemaker Notebook Instance Kms Key Configured
Category name in the API:
|
Finding description: Checks if an AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if 'KmsKeyId' is not specified for the SageMaker notebook instance. Pricing tier: Enterprise Compliance standards:
|
Checks that all SageMaker notebook instances are configured to use KMS
|
Sagemaker Notebook No Direct Internet Access
Category name in the API:
|
Finding description: Checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the DirectInternetAccess field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable—Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. To learn more about how to connect a notebook instance to resources in a VPC, see Connect a notebook instance to resources in a VPC in the Amazon SageMaker Developer Guide. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources. Pricing tier: Enterprise Compliance standards:
|
Checks whether direct internet access is disabled for all Amazon SageMaker notebook instance
|
Secretsmanager Rotation Enabled Check
Category name in the API:
|
Finding description: Checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. The control fails if the secret isn't configured with automatic rotation. If you provide a custom value for the `maximumAllowedRotationFrequency` parameter, the control passes only if the secret is automatically rotated within the specified window of time. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide. Pricing tier: Enterprise Compliance standards:
|
Checks that all AWS Secrets Manager secrets have rotation enabled
|
Sns Encrypted Kms
Category name in the API:
|
Finding description: Checks whether an SNS topic is encrypted at rest using AWS KMS. The controls fails if an SNS topic doesn't use a KMS key for server-side encryption (SSE). Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. Pricing tier: Enterprise Compliance standards:
|
Checks that all SNS topics are encrypted with KMS
|
Vpc Default Security Group Closed
Category name in the API:
|
Finding description: This control checks whether the default security group of a VPC allows inbound or outbound traffic. The control fails if the security group allows inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We recommend that you don't use the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances. Pricing tier: Enterprise Compliance standards:
|
Ensure the default security group of every VPC restricts all traffic
|
Vpc Flow Logging Enabled All Vpcs
Category name in the API:
|
Finding description: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. Pricing tier: Enterprise Compliance standards:
|
Ensure VPC flow logging is enabled in all VPCs
|
Vpc Sg Open Only To Authorized Ports
Category name in the API:
|
Finding description: This control checks whether an Amazon EC2 security group permits unrestricted incoming traffic from unauthorized ports. The control status is determined as follows: If you use the default value for authorizedTcpPorts, the control fails if the security group permits unrestricted incoming traffic from any port other than ports 80 and 443. If you provide custom values for authorizedTcpPorts or authorizedUdpPorts, the control fails if the security group permits unrestricted incoming traffic from any unlisted port. If no parameter is used, the control fails for any security group that has an unrestricted inbound traffic rule. Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data. Unless a port is specifically allowed, the port should deny unrestricted access. Pricing tier: Enterprise Compliance standards:
|
Checks that any security group with 0.0.0.0/0 of any VPC allows only specific inbound TCP/UDP traffic
|
Both VPC VPN Tunnels Up
Category name in the API:
|
Finding description: A VPN tunnel is an encrypted link where data can pass from the customer network to or from AWS within an AWS Site-to-Site VPN connection. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. Ensuring that both VPN tunnels are up for a VPN connection is important for confirming a secure and highly available connection between an AWS VPC and your remote network. This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The control fails if one or both tunnels are in DOWN status. Pricing tier: Enterprise Compliance standards:
|
Checks that both AWS VPN tunnels provided by AWS site-to-site are in UP status
|
Web Security Scanner findings
Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.
| Category | Finding description | OWASP 2017 Top 10 | OWASP 2021 Top 10 |
|---|---|---|---|
Accessible Git repository
Category name in the API: |
A Git repository is exposed publicly. To resolve this finding, remove
unintentional public access to the GIT repository.
Pricing tier: Standard |
A5 | A01 |
Accessible SVN repository
Category name in the API: |
An SVN repository is exposed publicly. To resolve this finding, remove
public unintentional access to the SVN repository.
Pricing tier: Standard |
A5 | A01 |
Cacheable password input
Category name in the API: |
Passwords entered on the web application can be cached in a regular browser cache instead of
a secure password storage.
Pricing tier: Premium |
A3 | A04 |
Clear text password
Category name in the API: |
Passwords are being transmitted in clear text and can be intercepted. To
resolve this finding, encrypt the password transmitted over the
network.
Pricing tier: Standard |
A3 | A02 |
Insecure allow origin ends with validation
Category name in the API: |
A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header
before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this
finding, validate that the expected root domain is part of the Origin header value before
reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards,
prepend the dot to the root domain—for example, .endsWith(".google.com").
Pricing tier: Premium |
A5 | A01 |
Insecure allow origin starts with validation
Category name in the API: |
A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header
before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this
finding, validate that the expected domain fully matches the Origin header value before
reflecting it in the Access-Control-Allow-Origin response header—for example,
.equals(".google.com").
Pricing tier: Premium |
A5 | A01 |
Invalid content type
Category name in the API: |
A resource was loaded that doesn't match the response's Content-Type HTTP
header. To resolve this finding, set X-Content-Type-Options HTTP header
with the correct value.
Pricing tier: Standard |
A6 | A05 |
Invalid header
Category name in the API: |
A security header has a syntax error and is ignored by browsers. To resolve
this finding, set HTTP security headers correctly.
Pricing tier: Standard |
A6 | A05 |
Mismatching security header values
Category name in the API: |
A security header has duplicated, mismatching values, which result in
undefined behavior. To resolve this finding, set HTTP security headers
correctly.
Pricing tier: Standard |
A6 | A05 |
Misspelled security header name
Category name in the API: |
A security header is misspelled and is ignored. To resolve this finding,
set HTTP security headers correctly.
Pricing tier: Standard |
A6 | A05 |
Mixed content
Category name in the API: |
Resources are being served over HTTP on an HTTPS page. To resolve this
finding, make sure that all resources are served over HTTPS.
Pricing tier: Standard |
A6 | A05 |
Outdated library
Category name in the API: |
A library was detected that has known vulnerabilities. To resolve this
finding, upgrade libraries to a newer version.
Pricing tier: Standard |
A9 | A06 |
Server side request forgery
Category name in the API: |
A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an
allowlist to limit the domains and IP addresses that the web application can make requests to.
Pricing tier: Standard |
Not applicable | A10 |
Session ID leak
Category name in the API: |
When making a cross-domain request, the web application includes the user's session identifier
in its Referer request header. This vulnerability gives the receiving domain access
to the session identifier, which can be used to impersonate or uniquely identify the user.
Pricing tier: Premium |
A2 | A07 |
SQL injection
Category name in the API: |
A potential SQL injection vulnerability was detected. To resolve this finding, use
parameterized queries to prevent user inputs from influencing the structure of the SQL query.
Pricing tier: Premium |
A1 | A03 |
Struts insecure deserialization
Category name in the API: |
The use of a vulnerable version of Apache
Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.
Pricing tier: Premium |
A8 | A08 |
XSS
Category name in the API: |
A field in this web application is vulnerable to a cross-site scripting
(XSS) attack. To resolve this finding, validate and escape untrusted
user-supplied data.
Pricing tier: Standard |
A7 | A03 |
XSS angular callback
Category name in the API: |
A user-provided string isn't escaped and AngularJS can interpolate it. To
resolve this finding, validate and escape untrusted user-supplied data
handled by Angular framework.
Pricing tier: Standard |
A7 | A03 |
XSS error
Category name in the API: |
A field in this web application is vulnerable to a cross-site scripting
attack. To resolve this finding, validate and escape untrusted
user-supplied data.
Pricing tier: Standard |
A7 | A03 |
XXE reflected file leakage
Category name in the API: |
An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to
leak a file on the host. To resolve this finding, configure your XML parsers to disallow
external entities.
Pricing tier: Premium |
A4 | A05 |
Prototype pollution
Category name in the API: |
The application is vulnerable to prototype pollution. This vulnerability arises when properties
of the Object.prototype object can be assigned attacker-controllable values. Values planted on these prototypes
are universally assumed to translate into cross-site scripting, or similar client-side vulnerabilities, as well as logic bugs.
Pricing tier: Standard |
A1 | A03 |
Rapid Vulnerability Detection findings and remediations
Rapid Vulnerability Detection detects weak credentials, incomplete software installations, and other critical vulnerabilities that have a high likelihood of being exploited. The service automatically discovers network endpoints, protocols, open ports, network services, and installed software packages.
Rapid Vulnerability Detection findings are early warnings of vulnerabilities that we recommend you fix immediately.
For information about how to view the findings, see Reviewing findings in Security Command Center.
Rapid Vulnerability Detection scans identify the following finding types.
| Finding type | Finding description | OWASP top 10 codes |
|---|---|---|
| Weak credential findings | ||
WEAK_CREDENTIALS
|
This detector checks for weak credentials using ncrack brute force
methods. Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM Remediation: Enforce a strong password policy. Create unique credentials for your services and avoid using dictionary words in passwords. |
2021 A07 2017 A2 |
| Exposed interface findings | ||
ELASTICSEARCH_API_EXPOSED
|
The
Elasticsearch API lets callers perform arbitrary queries, write and
execute scripts, and add additional documents to the service.
Remediation: Remove direct access to the Elasticsearch API by routing requests through an application, or limit access to authenticated users only. For more information, see Security settings in Elasticsearch. |
2021 A01, A05 2017 A5, A6 |
EXPOSED_GRAFANA_ENDPOINT
|
In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798. Remediation: Patch Grafana or upgrade Grafana to a later version. For more information, see Grafana path traversal. |
2021 A06, A07 2017 A2, A9 |
EXPOSED_METABASE
|
Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277. Remediation: Upgrade to maintenance releases 0.40.5 or later or 1.40.5 or later. For more information, see GeoJSON URL validation can expose server files and environment variables to unauthorized users. |
2021 A06 2017 A3, A9 |
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT
|
This detector checks whether sensitive Actuator endpoints of
Spring Boot applications are exposed. Some of the default endpoints,
like /heapdump, might expose sensitive information. Other
endpoints, like /env, might lead to remote code execution.
Currently, only /heapdump is checked.
Remediation: Disable access to sensitive Actuator endpoints. For more information, see Securing HTTP Endpoints. |
2021 A01, A05 2017 A5, A6 |
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API
|
This detector checks whether the
Hadoop Yarn ResourceManager API, which controls the computation and
storage resources of a Hadoop cluster, is exposed and allows
unauthenticated code execution.
Remediation: Use access control lists with the API. |
2021 A01, A05 2017 A5, A6 |
JAVA_JMX_RMI_EXPOSED
|
The
Java Management Extension (JMX) allows remote monitoring and
diagnostics for Java applications. Running JMX with unprotected Remote
Method Invocation endpoint allows any remote users to create a
javax.management.loading.MLet MBean and use it to create new MBeans from
arbitrary URLs.
Remediation: To properly configure remote monitoring, see Monitoring and Management Using JMX Technology. |
2021 A01, A05 2017 A5, A6 |
JUPYTER_NOTEBOOK_EXPOSED_UI
|
This detector checks whether an unauthenticated
Jupyter Notebook is
exposed. Jupyter allows remote code execution by design on the host machine.
An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote
code execution.
Remediation: Add token authentication to your Jupyter Notebook server, or use more recent versions of Jupyter Notebook that use token authentication by default. |
2021 A01, A05 2017 A5, A6 |
KUBERNETES_API_EXPOSED
|
The
Kubernetes API is exposed, and can be accessed by unauthenticated
callers. This allows arbitrary code execution on the Kubernetes cluster.
Remediation: Require authentication for all API requests. For more information, see the Kubernetes API Authenticating guide. |
2021 A01, A05 2017 A5, A6 |
UNFINISHED_WORDPRESS_INSTALLATION
|
This detector checks whether a WordPress installation is unfinished. An
unfinished WordPress installation exposes the
/wp-admin/install.php page, which allows attacker to set the
admin password and, possibly, compromise the system.
Remediation: Complete the WordPress installation. |
2021 A05 2017 A6 |
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE
|
This detector checks for an unauthenticated
Jenkins instance by
sending a probe ping to the /view/all/newJob endpoint as an
anonymous visitor. An authenticated Jenkins instance shows the
createItem form, which allows the creation of
arbitrary jobs that could lead to remote code execution.
Remediation: Follow Jenkins' guide on managing security to block unauthenticated access. |
2021 A01, A05 2017 A5, A6 |
| Vulnerable software findings | ||
APACHE_HTTPD_RCE
|
A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see: Remediation: Protect files outside of the document root by configuring the "require all denied" directive in the Apache HTTP Server. |
2021 A01, A06 2017 A5, A9 |
APACHE_HTTPD_SSRF
|
Attackers can craft a URI to the Apache web server that causes
Remediation: Upgrade the Apache HTTP server to a later version. |
2021 A06, A10 2017 A9 |
CONSUL_RCE
|
Attackers can execute arbitrary code on a Consul server because the Consul instance is
configured with
After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using
the Remediation: Set enable-script-checks to |
2021 A05, A06 2017 A6, A9 |
DRUID_RCE
|
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail. Remediation: Upgrade Apache Druid to later version. |
2021 A05, A06 2017 A6, A9 |
DRUPAL_RCE
This category includes two vulnerabilities in Drupal. Multiple findings of this type can indicate more than one vulnerability. |
Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,
and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API
AJAX requests.
Remediation: Upgrade to alternate Drupal versions. |
2021 A06 2017 A9 |
|
Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are
vulnerable to remote code execution when either the RESTful Web Service
module or the JSON:API is enabled. This vulnerability can be exploited
by an unauthenticated attacker using a custom POST request.
Remediation: Upgrade to alternate Drupal versions. |
2021 A06 2017 A9 |
|
FLINK_FILE_DISCLOSURE
|
A vulnerability in
Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read
any file on the local filesystem of the JobManager through the REST
interface of the JobManager process. Access is restricted to files
accessible by the JobManager process.
Remediation: If your Flink instances are exposed, upgrade to Flink 1.11.3 or 1.12.0. |
2021 A01, A05, A06 2017 A5, A6, A9 |
GITLAB_RCE
|
In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution. Remediation: Upgrade to GitLab CE or EE release 13.10.3, 13.9.6, and 13.8.8 or later. For more information, see Action needed by self-managed customers in response to CVE-2021-22205. |
2021 A06 2017 A9 |
GoCD_RCE
|
In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication. Remediation: Upgrade to version 21.3.0 or later. For more information, see Release notes of GoCD 21.3.0. |
2021 A06, A07 2017 A2, A9 |
JENKINS_RCE
|
Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are
vulnerable to remote code execution. This vulnerability can be triggered
by an unauthenticated attacker using a malicious serialized Java
object.
Remediation: Install an alternate Jenkins version. |
2021 A06, A08 2017 A8, A9 |
JOOMLA_RCE
This category includes two vulnerabilities in Joomla. Multiple findings of this type can indicate more than one vulnerability. |
Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to
remote code execution. This vulnerability can be triggered with a crafted
header containing serialized PHP objects.
Remediation: Install an alternate Joomla version. |
2021 A06, A08 2017 A8, A9 |
|
Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code
execution. This vulnerability can be triggered by sending a POST request that contains
a crafted serialized PHP object.
Remediation: Install an alternate Joomla version. |
2021 A06 2017 A9 |
|
LOG4J_RCE
|
In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228. Remediation: For remediation information, see Apache Log4j Security Vulnerabilities. |
2021 A06 2017 A9 |
MANTISBT_PRIVILEGE_ESCALATION
|
MantisBT through
version 2.3.0 allows arbitrary password reset and unauthenticated admin
access by supplying an empty confirm_hash value to
verify.php.
Remediation: Update MantisBT to a newer version or follow the Mantis instructions to apply a critical security fix. |
2021 A06 2017 A9 |
OGNL_RCE
|
Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084. Remediation: For remediation information, see Confluence Server Webwork OGNL injection - CVE-2021-26084. |
2021 A03 2017 A1 |
OPENAM_RCE
|
OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have
a Java deserialization vulnerability in the Remediation: Upgrade to a more recent version. For information about the ForgeRock remediation, see AM Security Advisory #202104. |
2021 A06 2017 A9 |
ORACLE_WEBLOGIC_RCE
|
Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882. Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020. |
2021 A06, A07 2017 A2, A9 |
PHPUNIT_RCE
|
PHPUnit versions prior to 5.6.3 allow remote code execution with a
single unauthenticated POST request.
Remediation: Upgrade to newer PHPUnit versions. |
2021: A05 2017: A6 |
PHP_CGI_RCE
|
PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when
configured as a CGI script, allow remote code execution. The vulnerable
code does not properly handle query strings that lack an =
(equals sign) character. This lets attackers add command line options
that are executed on the server.
Remediation: Install an alternate PHP version. |
2021 A05, A06 2017 A6, A9 |
PORTAL_RCE
|
Deserialization of untrusted data in
Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers
to execute arbitrary code through JSON web services.
Remediation: Upgrade to newer Liferay Portal versions. |
2021 A06, A08 2017 A8, A9 |
REDIS_RCE
|
If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code. Remediation: Configure Redis to require authentication. |
2021 A01, A05 2017 A5, A6 |
SOLR_FILE_EXPOSED
|
Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files. Remediation: Upgrade to alternate Apache Solr versions. |
2021 A07, A10 2017 A2 |
SOLR_RCE
|
Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to
remote code execution through the VelocityResponseWriter if
params.resource.loader.enabled is set to
true. This allows attackers to create a parameter
that contains a malicious Velocity template.
Remediation: Upgrade to alternate Apache Solr versions. |
2021 A06 2017 A9 |
STRUTS_RCE
This category includes three vulnerabilities in Apache Struts. Multiple findings of this type can indicate more than one vulnerability. |
Apache Struts versions before 2.3.32 and 2.5.x before 2.5.10.1 are
vulnerable to remote code execution. The vulnerability can be triggered
by an unauthenticated attacker providing a crafted Content-Type
header.
Remediation: Install an alternate Apache Struts version. |
2021 A06 2017 A9 |
| The
REST plugin in Apache Struts versions 2.1.1 through 2.3.x before
2.3.34 and 2.5.x before 2.5.13 are vulnerable to remote code execution
when deserializing crafted XML payloads.
Remediation: Install an alternate Apache Struts version. |
2021 A06, A08 2017 A8, A9 |
|
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable
to remote code execution when alwaysSelectFullNamespace is
set to true and certain other action configurations exist.
Remediation: Install version 2.3.35 or 2.5.17. |
2021 A06 2017 A9 |
|
TOMCAT_FILE_DISCLOSURE
|
Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before
7.0.100, and all 6.x are vulnerable to source code and configuration
disclosure through an exposed Apache JServ Protocol connector. In some
cases, this is leveraged to perform remote code execution if file uploading
is allowed.
Remediation: Upgrade to alternate Apache Tomcat versions. |
2021 A06 2017 A3, A9 |
VBULLETIN_RCE
|
vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable
to remote code execution. This vulnerability can be exploited by an
unauthenticated attacker using a query parameter in a routestring
request.
Remediation: Upgrade to alternate VMware vCenter Server versions. |
2021 A03, A06 2017 A1, A9 |
VCENTER_RCE
|
VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l
and 6.5 before 6.5 U3n are vulnerable to remote code execution. This
vulnerability can be triggered by an attacker uploading a crafted Java
Server Pages file to a web-accessible directory, then triggering execution
of that file.
Remediation: Upgrade to alternate VMware vCenter Server versions. |
2021 A06 2017 A9 |
WEBLOGIC_RCE
|
Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883. Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020. |
2021 A06, A07 2017 A2, A9 |
IAM recommender findings
The following table lists the Security Command Center findings that are generated by IAM recommender.
Each IAM recommender finding contains specific recommendations to remove or replace a role that includes excessive permissions from a principal in your Google Cloud environment.
The findings that are generated by IAM recommender correspond recommendations that appear in the Google Cloud console on the IAM page of the affected project, folder, or organization.
For more information about the integration of IAM recommender with Security Command Center, see Security sources.
| Detector | Summary |
|---|---|
IAM role has excessive permissions
Category name in the API: |
Finding description: IAM recommender detected a service account that has one or more IAM roles that give excessive permissions to the user account. Pricing tier: Premium Supported assets:
Fix this finding : Use IAM recommender to apply the recommended fix for this finding by following these steps:
After the issue is fixed, IAM recommender updates the status of the finding
to |
Service agent role replaced with basic role
Category name in the API: |
Finding description: IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents. Pricing tier: Premium Supported assets:
Fix this finding : Use IAM recommender to apply the recommended fix for this finding by following these steps:
After the issue is fixed, IAM recommender updates the status of the finding
to |
Service agent granted basic role
Category name in the API: |
Finding description: IAM recommender detected IAM that a service agent was granted one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents. Pricing tier: Premium Supported assets:
Fix this finding : Use IAM recommender to apply the recommended fix for this finding by following these steps:
After the issue is fixed, IAM recommender updates the status of the finding
to |
Unused IAM role
Category name in the API: |
Finding description: IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days. Pricing tier: Premium Supported assets:
Fix this finding : Use IAM recommender to apply the recommended fix for this finding by following these steps:
After the issue is fixed, IAM recommender updates the status of the finding
to |
Security posture service findings
The following table lists the Security Command Center findings that are generated by the security posture service.
Each security posture service finding identifies an instance of drift from your defined security posture.
| Finding | Summary |
|---|---|
SHA Canned Module Drifted
Category name in the API: |
Finding description: The security posture service detected a change to a Security Health Analytics detector that occurred outside of a posture update. Pricing tier: Premium
Fix this finding : This finding requires that you accept the change or revert the change so that the detector settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics detector or you can update the posture and posture deployment. To revert the change, update the Security Health Analytics detector in the Google Cloud console. For instructions, see Enable and disable detectors. To accept the change, complete the following:
|
SHA Custom Module Drifted
Category name in the API: |
Finding description: The security posture service detected a change to a Security Health Analytics custom module that occurred outside of a posture update. Pricing tier: Premium Fix this finding : This finding requires that you accept the change or revert the change so that the custom module settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics custom module or you can update the posture and posture deployment. To revert the change, update the Security Health Analytics custom module in the Google Cloud console. For instructions, see Update a custom module. To accept the change, complete the following:
|
SHA Custom Module Deleted
Category name in the API: |
Finding description: The security posture service detected that a Security Health Analytics custom module was deleted. This deletion occurred outside of a posture update. Pricing tier: Premium Fix this finding : This finding requires that you accept the change or revert the change so that the custom module settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics custom module or you can update the posture and posture deployment. To revert the change, update the Security Health Analytics custom module in the Google Cloud console. For instructions, see Update a custom module. To accept the change, complete the following:
|
Org Policy Canned Constraint Drifted
Category name in the API: |
Finding description: The security posture service detected a change to an organization policy that occurred outside of a posture update. Pricing tier: Premium Fix this finding : This finding requires that you accept the change or revert the change so that the organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the organization policy or you can update the posture and posture deployment. To revert the change, update the organization policy in the Google Cloud console. For instructions, see Creating and editing policies. To accept the change, complete the following:
|
Org Policy Canned Constraint Deleted
Category name in the API: |
Finding description: The security posture service detected that an organization policy was deleted. This deletion occurred outside of a posture update. Pricing tier: Premium Fix this finding : This finding requires that you accept the change or revert the change so that the organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the organization policy or you can update the posture and posture deployment. To revert the change, update the organization policy in the Google Cloud console. For instructions, see Creating and editing policies. To accept the change, complete the following:
|
Org Policy Custom Constraint Drifted
Category name in the API: |
Finding description: The security posture service detected a change to a custom organization policy that occurred outside of a posture update. Pricing tier: Premium Fix this finding : This finding requires that you accept the change or revert the change so that the custom organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the custom organization policy or you can update the posture and posture deployment. To revert the change, update the custom organization policy in the Google Cloud console. For instructions, see Update a custom constraint. To accept the change, complete the following:
|
Org Policy Custom Constraint Deleted
Category name in the API: |
Finding description: The security posture service detected that a custom organization policy was deleted. This deletion occurred outside of a posture update. Pricing tier: Premium Fix this finding : This finding requires that you accept the change or revert the change so that the custom organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the custom organization policy or you can update the posture and posture deployment. To revert the change, update the custom organization policy in the Google Cloud console. For instructions, see Update a custom constraint. To accept the change, complete the following:
|
VM Manager
VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.
If you enable VM Manager with the Security Command Center Premium at the organization level, VM Manager writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in operating systems installed on VMs, including Common Vulnerabilities and Exposures (CVEs).
To use VM Manager with project-level activations of Security Command Center Premium, activate Security Command Center Standard in the parent organization.
Vulnerability reports are not available for Security Command Center Standard.
Findings simplify the process of using VM Manager's Patch Compliance feature, which is in preview. The feature lets you conduct patch management at the organization level across all of your projects.
The severity of the vulnerability findings that are received from
VM Manager is always either CRITICAL or
HIGH.
VM Manager findings
Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.
| Detector | Summary | Asset scan settings | Compliance standards |
|---|---|---|---|
OS vulnerability
Category name in the API: |
Finding description: VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM. Pricing tier: Premium
Supported assets |
VM Manager's vulnerability reports detail vulnerabilities in installed operating system packages for Compute Engine VMs, including Common Vulnerabilities and Exposures (CVEs). For a complete list of supported operating systems, see Operating system details.Findings appear in Security Command Center shortly after vulnerabilities are detected. Vulnerability reports in VM Manager are generated as follows:
|
Remediating VM Manager findings
An OS_VULNERABILITY finding indicates that VM Manager found a
vulnerability in the installed operating system packages in a Compute Engine
VM.
To remediate this finding, do the following:
Go to the Findings page in Security Command Center.
If necessary, select your Google Cloud project or organization.
In the Category subsection of Quick filters, select OS vulnerability. The Findings query results are filtered to show only OS vulnerability findings.
In the Category column of the Findings query results list, click the category name of the finding that you are fixing. The details page for the OS vulnerability opens.
Click the JSON tab. The JSON for this finding is displayed.
Copy the value of the
externalUrifield. This value is the URI for the OS info page of the Compute Engine VM instance in which the vulnerable operating system is installed.Apply all appropriate patches for the OS that is shown in the Basic info section. For instructions on deploying patches, see Create patch jobs.
Learn about this finding type's supported assets and scan settings.
Review findings in the Google Cloud console
Use the following procedure to review findings in the Google Cloud console:
Go to the Security Command Center Findings page in the Google Cloud console.
If necessary, select your Google Cloud project or organization.
In the Quick filters section, in the Source display name subsection, select VM Manager.
The table is populated with VM Manager findings.
To view details of a specific finding, click the finding name under
Category. The details panel for the finding opens and displays the Summary tab.On the Summary tab, review the information about the finding, including information about what was detected, the resource that was affected, and more.
For information about remediating VM Manager findings, see Remediating VM Manager findings.
Mute VM Manager findings
You might want to hide some or all VM Manager findings in Security Command Center if they're not relevant to your security requirements.
You can hide VM Manager findings by creating a mute rule and adding query attributes specific to the VM Manager findings that you want to hide.
To create a mute rule for VM Manager by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Security Command Center Findings page.
If necessary, select your Google Cloud project or organization.
Click Mute options, and then select Create mute rule.
Enter a Mute rule ID. This value is required.
Enter a Mute rule description that provides context for why findings are muted. This value is optional but recommended.
Confirm the scope of the mute rule by checking the Parent resource value.
In the Findings query field, build your query statements by clicking Add filter. Alternatively, you can type in the query statements manually.
- In the Select filter dialog, select Finding > Source display name > VM Manager.
- Click Apply.
Repeat until the mute query contains all attributes that you want to hide.
For example, if you want to hide specific CVE IDs in the VM Manager vulnerability findings, select Vulnerability > CVE ID, and then select the CVE IDs that you want to hide.
The finding query looks similar to the following:
Click Preview matching findings.
A table displays findings that match your query.
Click Save.
Sensitive Data Protection
This section describes the vulnerability findings that Sensitive Data Protection generates, what compliance standards they support, and how to remediate the findings.
Sensitive Data Protection also sends observational findings to Security Command Center. For more information about the observation findings and Sensitive Data Protection, see Sensitive Data Protection.
For information about how to view the findings, see Review Sensitive Data Protection findings in the Google Cloud console.
The Sensitive Data Protection discovery service helps you determine whether your Cloud Functions environment variables contain secrets, such as passwords, authentication tokens, and Google Cloud credentials. For a full list of secret types that Sensitive Data Protection detects in this feature, see Credentials and secrets.
| Finding type | Finding description | Compliance standards |
|---|---|---|
Secrets in environment variablesCategory name in the API: SECRETS_IN_ENVIRONMENT_VARIABLES
|
This detector checks for secrets in Cloud Functions environment variables.
Remediation: Remove the secret from the environment variable and store it in Secret Manager instead. |
CIS GCP Foundation 1.3: 1.18 CIS GCP Foundation 2.0: 1.18 |
To enable this detector, see Report secrets in environment variables to Security Command Center in the Sensitive Data Protection documentation.
Policy Controller
Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters registered as fleet memberships. These policies act as guardrails and can help with best practices, security, and compliance management of your clusters and fleet.
This page doesn't list all individual Policy Controller findings, but
information about the Misconfiguration class findings that Policy Controller
writes to Security Command Center are the same as the cluster violations documented
for each Policy Controller bundle. Documentation for the individual Policy Controller
finding types is in the following Policy Controller bundles:
- CIS Kubernetes Benchmark v1.5.1,
a set of recommendations for configuring Kubernetes to support a strong security
posture. You can also view information about this bundle in the
GitHub repository for
cis-k8s-v1.5.1. - PCI-DSS v3.2.1,
a bundle which evaluates the compliance of your cluster resources against
some aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1.
You can also view information about this bundle in the
GitHub repository for
pci-dss-v3.
This capability is not compatible with VPC Service Controls service perimeters around the Stackdriver API.
Finding and remediating Policy Controller findings
The Policy Controller categories correspond to the constraint names listed in the
Policy Controller bundles documentation. For example, a
require-namespace-network-policies
finding indicates that a namespace violates the policy that every namespace in a cluster
has a NetworkPolicy.
To remediate a finding, do the following:
Go to the Findings page in Security Command Center.
If necessary, select your Google Cloud project or organization.
In the Category subsection of Quick filters, select the name of the Policy Controller finding you want to fix. The Findings query results are filtered to show only findings for that category.
In the Category column of the Findings query results list, click the category name of the finding that you are fixing. The details page for the finding opens.
On the Summary tab, review the information about the finding, including information about what was detected, the resource that was affected, and more.
In the Next steps heading, review information about how to remediate the finding, including links to Kubernetes documentation about the issue.
What's next
- Learn how to use Security Health Analytics.
- Learn how to use Web Security Scanner.
- Learn how to use Rapid Vulnerability Detection.
- Read suggestions for remediating Security Health Analytics findings and
remediating Web Security Scanner findings.