Vulnerabilities findings

Security Health Analytics and Web Security Scanner detectors generate vulnerabilities findings that are available in Security Command Center. Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.

Detectors and compliance

This section describes the mapping between supported detectors and the best effort mapping to relevant compliance standards.

CIS Benchmarks

Security Command Center supports two versions of the CIS Benchmarks for Google Cloud Platform Foundation:

  • CIS Google Cloud Computing Foundations Benchmark v1.1.0 (CIS Google Cloud Foundation 1.1)
  • CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0)

The CIS Google Cloud Foundation 1.1 and 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment with CIS Google Cloud Computing Foundations Benchmark v1.1.0 and v1.0.0, respectively.

While both CIS 1.1 and CIS 1.0 are supported, we recommend that you use or transition to CIS 1.1, if possible. CIS 1.1 expands coverage to additional Google Cloud services and refines instructions and guidance for complex benchmarks.

Some detectors are mapped to the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0 (CIS GKE 1.0). Support for this benchmark is limited and it should not be used as the basis for audits or reporting compliance.

Additional standards

Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.

This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.

For instructions on viewing and exporting compliance reports, see the Compliance section in Using the Security Command Center dashboard.

Security Health Analytics

Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.

Security Health Analytics scans run in three modes:

  • Batch scan: All detectors are scheduled to run for all enrolled organizations two or more times a day. Detectors run on different schedules to meet specific service level objectives (SLO). To meet 12- and 24-hour SLOs, detectors run batch scans every six hours or 12 hours, respectively. Resource and policy changes that occur in between batch scans are not immediately captured and are applied in the next batch scan. Note: Batch scan schedules are performance objectives, not service guarantees.

  • Real-time scan: Supported detectors start scans whenever CAI reports a change in an asset's configuration. Findings are immediately written to Security Command Center.

  • Mixed-mode: Some detectors that support real-time scans might not detect changes in real time in all supported assets. In those cases, configuration changes for some assets are captured immediately and others are captured in batch scans. Exceptions are noted in the tables on this page.

The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by detector name and finding type using the Security Command Center Vulnerabilities tab in the Google Cloud Console.

For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.

API key vulnerability findings

The API_KEY_SCANNER detector identifies vulnerabilities related to API keys used in your cloud deployment.

Table 1. API key scanner
Detector Summary Asset scan settings Compliance standards
API_KEY_APIS_UNRESTRICTED

Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Retrieves the restrictions property of all API keys in a project, checking if any is set to cloudapis.googleapis.com.

  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 1.12

CIS GCP Foundation 1.1: 1.14

API_KEY_APPS_UNRESTRICTED

Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Retrieves the restrictions property of all API keys in a project, checking whether browserKeyRestrictions, serverKeyRestrictions, androidKeyRestrictions, or iosKeyRestrictions is set.

  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 1.11

CIS GCP Foundation 1.1: 1.13

API_KEY_EXISTS

Finding description: A project is using API keys instead of standard authentication.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Retrieves all API keys owned by a project.

  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 1.10

CIS GCP Foundation 1.1: 1.12

API_KEY_NOT_ROTATED

Finding description: The API key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Retrieves the timestamp contained in the createTime property of all API keys, checking whether 90 days have passed.

  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 1.13

CIS GCP Foundation 1.1: 1.15

Compute image vulnerability findings

The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to Google Cloud image configurations.

Table 2. Compute image scanner
Detector Summary Asset scan settings Compliance standards
PUBLIC_COMPUTE_IMAGE

Finding description: A Compute Engine image is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Image

Fix this finding

Checks the IAM policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

Compute instance vulnerability findings

The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to Compute Engine instance configurations.

COMPUTE_INSTANCE_SCANNER detectors don't report findings on Compute Engine instances created by GKE. Such instances have names that start with "gke-", which users cannot edit. To secure these instances, refer to the Container vulnerability findings section.

Table 3. Compute instance scanner
Detector Summary Asset scan settings Compliance standards
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED

Finding description: Project-wide SSH keys are used, allowing login to all instances in the project.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "block-project-ssh-keys", "value": TRUE.

  • Assets excluded from scans: GKE instances, Dataflow job, Windows instance
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Batch scans: Every 12 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 4.2

CIS GCP Foundation 1.1: 4.3

COMPUTE_SECURE_BOOT_DISABLED

Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks the shieldedInstanceConfig property on Compute Engine instances to determine if enableIntegrityMonitoring, enableSecureBoot, enableVtpm are all set to true. The fields indicate whether attached disks are compatible with Secure Boot and if Shielded VM is turned on.

  • Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS), Serverless VPC Access
  • Batch scans: Every 6 hours
  • Real-time scans: No
COMPUTE_SERIAL_PORTS_ENABLED

Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "serial-port-enable", "value": TRUE.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Batch scans: Every 12 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 4.4

CIS GCP Foundation 1.1: 4.5

DEFAULT_SERVICE_ACCOUNT_USED

Finding description: An instance is configured to use the default service account.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks the serviceAccounts property in instance metadata for any service account email addresses with the prefix PROJECT_NUMBER-compute@developer.gserviceaccount.com, indicating the Google-created default service account.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.1: 4.1

DISK_CMEK_DISABLED

Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Disk

Fix this finding

Checks the kmsKeyName field in the diskEncryptionKey object, in disk metadata, for the resource name of your CMEK.

  • Batch scans: Every 6 hours
  • Real-time scans: No
DISK_CSEK_DISABLED

Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Disk

Fix this finding

Checks the kmsKeyName field in the diskEncryptionKey object for the resource name of your CSEK.

  • Assets excluded from scans:
    Compute Engine disks without the enforce_customer_supplied_disk_encryption_keys security mark set to true
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 4.6

CIS GCP Foundation 1.1: 4.7

FULL_API_ACCESS

Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Retrieves the scopes field in the serviceAccounts property to check whether a default service account is used and if it is assigned the cloud-platform scope.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 4.1

CIS GCP Foundation 1.1: 4.2

PCI-DSS v3.2.1: 7.1.2

NIST 800-53: AC-6

ISO-27001: A.9.2.3

HTTP_LOAD_BALANCER

Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

Pricing tier: Premium

Supported assets
compute.googleapis.com/TargetHttpProxy

Fix this finding

Determines if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.

  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads forwarding rules for a target HTTP proxy from Compute Engine, checking for external rules
  • Batch scans: Every 6 hours
  • Real-time scans: Yes
PCI-DSS v3.2.1: 2.3
IP_FORWARDING_ENABLED

Finding description: IP forwarding is enabled on instances.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks whether the canIpForward property of the instance is set to true.

  • Assets excluded from scans: GKE instances, Serverless VPC Access
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 4.5

CIS GCP Foundation 1.1: 4.6

OS_LOGIN_DISABLED

Finding description: OS Login is disabled on this instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Project

Fix this finding

Checks the commonInstanceMetadata.items[] object in project metadata for the key-value pair, "key": "enable-oslogin", "value": TRUE. The detector also checks all instances in a Compute Engine project to determine whether OS Login is disabled for individual instances.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine. The detector also examines Compute Engine instances in the project
  • Batch scans: Every 12 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 4.3

CIS GCP Foundation 1.1: 4.4

PUBLIC_IP_ADDRESS

Finding description: An instance has a public IP address.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks whether the networkInterfaces property contains an accessConfigs field, indicating it is configured to use a public IP address.

  • Assets excluded from scans: GKE instances
  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.1: 4.9

PCI-DSS v3.2.1: 1.2.1, 1.3.5

NIST 800-53: CA-3, SC-7

SHIELDED_VM_DISABLED

Finding description: Shielded VM is disabled on this instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks the shieldedInstanceConfig property in Compute Engine instances to determine if enableIntegrityMonitoring, enableSecureBoot, enableVtpm fields are all set to true. The fields indicate whether attached disks are compatible with Secure Boot and if Shielded VM is turned on.

  • Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS), Serverless VPC Access
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 4.8

WEAK_SSL_POLICY

Finding description: An instance has a weak SSL policy.

Pricing tier: Premium

Supported assets
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetSslProxy

Fix this finding

Checks whether sslPolicy in asset metadata is empty and, for the attached sslPolicies resource, whether profile is set to Restricted or Modern, minTlsVersion is set to TLS 1.2, and customFeatures is empty or does not contain the following ciphers: TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA.

  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads SSL policies for target proxies storage, checking for weak policies
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only when the TargetHttpsProxy of the TargetSslProxy is updated, not when the SSL policy gets updated

PCI-DSS v3.2.1: 4.1

NIST 800-53: SC-7

ISO-27001: A.14.1.3

Container vulnerability findings

These finding types all relate to GKE container configurations, and belong to the CONTAINER_SCANNER detector type.

Table 4. Container scanner
Detector Summary Asset scan settings Compliance standards
ALPHA_CLUSTER_ENABLED

Finding description: Alpha cluster features are enabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the enableKubernetesAlpha property of a cluster is set to true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.10.2
AUTO_REPAIR_DISABLED

Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the management property of a node pool for the key-value pair, "key": "autoRepair", "value": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.7

CIS GKE 1.0: 6.5.2

PCI-DSS v3.2.1: 2.2

AUTO_UPGRADE_DISABLED

Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the management property of a node pool for the key-value pair, "key": "autoUpgrade", "value": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.8

CIS GKE 1.0: 6.5.3

PCI-DSS v3.2.1: 2.2

BINARY_AUTHORIZATION_DISABLED

Finding description: Binary Authorization is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the binaryAuthorization property contains the key-value pair, "enabled": true, and defaultAdmissionRule contains the key-value pair evaluationMode: ALWAYS_ALLOW.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.10.5
CLUSTER_LOGGING_DISABLED

Finding description: Logging isn't enabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.7.1

PCI-DSS v3.2.1: 10.2.2, 10.2.7

CLUSTER_MONITORING_DISABLED

Finding description: Monitoring is disabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.2

CIS GKE 1.0: 6.7.1

PCI-DSS v3.2.1: 10.1, 10.2

CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED

Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the privateIpGoogleAccess property of a subnetwork is set to false.

  • Additional inputs: Reads subnetworks from storage, filing findings only for clusters with subnetworks
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only if cluster is updated, not for subnetwork updates

CIS GCP Foundation 1.0: 7.1

PCI-DSS v3.2.1: 1.3

CLUSTER_SECRETS_ENCRYPTION_DISABLED

Finding description: Application-layer secrets encryption is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the keyName property of the databaseEncryption object for the key-value pair "state": ENCRYPTED.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.3.1
CLUSTER_SHIELDED_NODES_DISABLED

Finding description: Shielded GKE nodes are not enabled for a cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the shieldedNodes property for the key-value pair "enabled": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.5.5
COS_NOT_USED

Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the config property of a node pool for the key-value pair, "imageType": "COS".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.9

CIS GKE 1.0: 6.5.1

PCI-DSS v3.2.1: 2.2

INTEGRITY_MONITORING_DISABLED

Finding description: Integrity monitoring is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the shieldedInstanceConfig property of the nodeConfig object for the key-value pair "enableIntegrityMonitoring": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.5.6
INTRANODE_VISIBILITY_DISABLED

Finding description: Intranode visibility is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the networkConfig property for the key-value pair "enableIntraNodeVisibility": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.6.1
IP_ALIAS_DISABLED

Finding description: A GKE cluster was created with alias IP ranges disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.6.2

PCI-DSS v3.2.1: 1.3.4, 1.3.7

LEGACY_AUTHORIZATION_ENABLED

Finding description: Legacy Authorization is enabled on GKE clusters.

Pricing tier: Premium or Standard

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the legacyAbac property of a cluster for the key-value pair, "enabled": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.3

CIS GKE 1.0: 6.8.3

PCI-DSS v3.2.1: 4.1

LEGACY_METADATA_ENABLED

Finding description: Legacy metadata is enabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the config property of a node pool for the key-value pair, "disable-legacy-endpoints": "false".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.4.1
MASTER_AUTHORIZED_NETWORKS_DISABLED

Finding description: Control Plane Authorized Networks is not enabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, "enabled": false.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.4

CIS GKE 1.0: 6.6.3

PCI-DSS v3.2.1: 1.2.1, 1.3.2

NETWORK_POLICY_DISABLED

Finding description: Network policy is disabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the networkPolicy field of the addonsConfig property for the key-value pair, "disabled": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.6.7

PCI-DSS v3.2.1: 1.3

NIST 800-53: SC-7

ISO-27001: A.13.1.1

NODEPOOL_BOOT_CMEK_DISABLED

Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the bootDiskKmsKey property of node pools for the resource name of your CMEK.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
NODEPOOL_SECURE_BOOT_DISABLED

Finding description: Secure Boot is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the shieldedInstanceConfig property of the nodeConfig object for the key-value pair "enableSecureBoot": true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.5.7

OVER_PRIVILEGED_ACCOUNT

Finding description: A service account has overly broad project access in a cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.2.1

PCI-DSS v3.2.1: 2.1, 7.1.2

NIST 800-53: AC-6, SC-7

ISO-27001: A.9.2.3

OVER_PRIVILEGED_SCOPES

Finding description: A node service account has broad access scopes.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the access scope listed in the config.oauthScopes property of a node pool is a limited service account access scope: https://www.googleapis.com/auth/devstorage.read_only, https://www.googleapis.com/auth/logging.write, or https://www.googleapis.com/auth/monitoring.
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.2.1

POD_SECURITY_POLICY_DISABLED

Finding description: PodSecurityPolicy is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the podSecurityPolicyConfig property of a cluster for the key-value pair, "enabled": false.

  • Additional IAM permissions: roles/container.clusterViewer
  • Additional inputs: Reads cluster information from GKE, because pod security policies are a Beta feature. This feature might be removed in the future
  • Batch scans: Every 12 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.10.3

PRIVATE_CLUSTER_DISABLED

Finding description: A GKE cluster has a Private cluster disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the enablePrivateNodes field of the privateClusterConfig property is set to false.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.1

CIS GKE 1.0: 6.6.5

PCI-DSS v3.2.1: 1.3.2

RELEASE_CHANNEL_DISABLED

Finding description: A GKE cluster is not subscribed to a release channel.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the releaseChannel property for the key-value pair "channel": UNSPECIFIED.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.5.4
WEB_UI_ENABLED

Finding description: The GKE web UI (dashboard) is enabled.

Pricing tier: Premium or Standard

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks the kubernetesDashboard field of the addonsConfig property for the key-value pair, "disabled": false.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 7.6

CIS GKE 1.0: 6.10.1

PCI-DSS v3.2.1: 6.6

WORKLOAD_IDENTITY_DISABLED

Finding description: Workload Identity is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Checks whether the workloadIdentityConfig property of a cluster is set. The detector also checks whether the workloadMetadataConfig property of a node pool is set to GKE_METADATA.

  • Additional IAM permissions: roles/container.clusterViewer
  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GKE 1.0: 6.2.2

Dataset vulnerability findings

Vulnerabilities of this detector type all relate to BigQuery Dataset configurations, and belong to the DATASET_SCANNER detector type.

Table 5. Dataset scanner
Detector Summary Asset scan settings Compliance standards
DATASET_CMEK_DISABLED

Finding description: A BigQuery dataset is not configured to use a default customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
bigquery.googleapis.com/Dataset

Fix this finding

Checks whether the kmsKeyName field in the defaultEncryptionConfiguration property is empty.

  • Batch scans: Every 6 hours
  • Real-time scans: No
PUBLIC_DATASET

Finding description: A dataset is configured to be open to public access.

Pricing tier: Premium

Supported assets
bigquery.googleapis.com/Dataset

Fix this finding

Checks the IAM policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 7.1

NIST 800-53: AC-2

ISO-27001: A.8.2.3, A.14.1.3

DNS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud DNS configurations, and belong to the DNS_SCANNER detector type.

Table 6. DNS scanner
Detector Summary Asset scan settings Compliance standards
DNSSEC_DISABLED

Finding description: DNSSEC is disabled for Cloud DNS zones.

Pricing tier: Premium

Supported assets
dns.googleapis.com/ManagedZone

Fix this finding

Checks whether the state field of the dnssecConfig property is set to off.

  • Assets excluded from scans: Cloud DNS zones that are not public
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.3

CIS GCP Foundation 1.1: 3.3

ISO-27001: A.8.2.3

RSASHA1_FOR_SIGNING

Finding description: RSASHA1 is used for key signing in Cloud DNS zones.

Pricing tier: Premium

Supported assets
dns.googleapis.com/ManagedZone

Fix this finding

Checks whether the defaultKeySpecs.algorithm object of the dnssecConfig property is set to rsasha1.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.4, 3.5

CIS GCP Foundation 1.1: 3.4, 3.5

Firewall vulnerability findings

Vulnerabilities of this detector type all relate to firewall configurations, and belong to the FIREWALL_SCANNER detector type.

Table 7. Firewall scanner
Detector Summary Asset scan settings Compliance standards
EGRESS_DENY_RULE_NOT_SET

Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, "IPProtocol": "all".

  • Additional inputs: Reads egress firewalls for a project from storage
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only on project changes, not firewall rule changes
PCI-DSS v3.2.1: 7.2
FIREWALL_RULE_LOGGING_DISABLED

Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the logConfig property in firewall metadata to see if it's empty or contains the key-value pair "enable": false.

  • Assets excluded from scans: GKE instances, firewall rules created by GKE, Serverless VPC Access
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 10.1, 10.2

NIST 800-53: SI-4

ISO-27001: A.13.1.1

OPEN_CASSANDRA_PORT

Finding description: A firewall is configured to have an open CASSANDRA port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_CISCOSECURE_WEBSM_PORT

Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocol and port: TCP:9090.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_DIRECTORY_SERVICES_PORT

Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_DNS_PORT

Finding description: A firewall is configured to have an open DNS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_ELASTICSEARCH_PORT

Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_FIREWALL

Finding description: A firewall is configured to be open to public access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the sourceRanges and allowed properties for one of two configurations:

  • The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
    • icmp
    • tcp:22
    • tcp:443
    • tcp:3389
    • udp:3389
    • sctp:22
  • The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
PCI-DSS v3.2.1: 1.2.1
OPEN_FTP_PORT

Finding description: A firewall is configured to have an open FTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocol and port: TCP:21.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_HTTP_PORT

Finding description: A firewall is configured to have an open HTTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:80.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_LDAP_PORT

Finding description: A firewall is configured to have an open LDAP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_MEMCACHED_PORT

Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_MONGODB_PORT

Finding description: A firewall is configured to have an open MONGODB port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_MYSQL_PORT

Finding description: A firewall is configured to have an open MYSQL port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocol and port: TCP:3306.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_NETBIOS_PORT

Finding description: A firewall is configured to have an open NETBIOS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_ORACLEDB_PORT

Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_POP3_PORT

Finding description: A firewall is configured to have an open POP3 port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocol and port: TCP:110.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_POSTGRESQL_PORT

Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_RDP_PORT

Finding description: A firewall is configured to have an open RDP port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:3389 and UDP:3389.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.7

CIS GCP Foundation 1.1: 3.7

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_REDIS_PORT

Finding description: A firewall is configured to have an open REDIS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_SMTP_PORT

Finding description: A firewall is configured to have an open SMTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_SSH_PORT

Finding description: A firewall is configured to have an open SSH port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.6

CIS GCP Foundation 1.1: 3.6

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

OPEN_TELNET_PORT

Finding description: A firewall is configured to have an open TELNET port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: SC-7

ISO-27001: A.13.1.1

IAM vulnerability findings

Vulnerabilities of this detector type all relate to Identity and Access Management (IAM) configuration, and belong to the IAM_SCANNER detector type.

Table 8. IAM Scanner
Detector Summary Asset scan settings Compliance standards
ADMIN_SERVICE_ACCOUNT

Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks the IAM policy in resource metadata for any user-created service accounts (indicated by the prefix iam.gserviceaccount.com), that are assigned roles/Owner or roles/Editor, or a role ID that contains admin.

  • Assets excluded from scans: Container Registry service account (containerregistry.iam.gserviceaccount.com) and Security Command Center service account (security-center-api.iam.gserviceaccount.com)
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, unless the IAM update is done on a folder

CIS GCP Foundation 1.0: 1.4

CIS GCP Foundation 1.1: 1.5

KMS_ROLE_SEPARATION

Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks IAM policies in resource metadata and retrieves principals assigned any of the following roles at the same time: roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, and roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, roles/cloudkms.signerVerifier, roles/cloudkms.publicKeyViewer.
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 1.9

CIS GCP Foundation 1.1: 1.11

NIST 800-53: AC-5

ISO-27001: A.9.2.3, A.10.1.2

NON_ORG_IAM_MEMBER

Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compares @gmail.com email addresses in the user field in IAM policy metadata to a list of approved identities for your organization.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 1.1

PCI-DSS v3.2.1: 7.1.2

NIST 800-53: AC-3

ISO-27001: A.9.2.3

OVER_PRIVILEGED_SERVICE_ACCOUNT_USER

Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks the IAM policy in resource metadata for any principals assigned roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator at the project level.
  • Assets excluded from scans: Cloud Build service accounts
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 1.5

PCI-DSS v3.2.1: 7.1.2

NIST 800-53: AC-6

ISO-27001: A.9.2.3

PRIMITIVE_ROLES_USED

Finding description: A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 7.1.2

NIST 800-53: AC-6

ISO-27001: A.9.2.3

REDIS_ROLE_USED_ON_ORG

Finding description: A Redis IAM role is assigned at the organization or folder level.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Checks the IAM policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 7.1.2

ISO-27001: A.9.2.3

SERVICE_ACCOUNT_ROLE_SEPARATION

Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks the IAM policy in resource metadata for any principals assigned both roles/iam.serviceAccountUser and roles/iam.serviceAccountAdmin.
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 1.7

NIST 800-53: AC-5

ISO-27001: A.9.2.3

SERVICE_ACCOUNT_KEY_NOT_ROTATED

Finding description: A service account key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
iam.googleapis.com/ServiceAccountKey

Fix this finding

Evaluates the key creation timestamp captured in the validAfterTime property in service accounts key metadata.

  • Assets excluded from scans: Expired service account keys and keys not managed by users
  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GCP Foundation 1.0: 1.6
USER_MANAGED_SERVICE_ACCOUNT_KEY

Finding description: A user manages a service account key.

Pricing tier: Premium

Supported assets
iam.googleapis.com/ServiceAccountKey

Fix this finding

Checks whether the keyType property in service account key metadata is set to User_Managed.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GCP Foundation 1.0: 1.3

KMS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud KMS configurations, and belong to the KMS_SCANNER detector type.

Table 9. KMS scanner
Detector Summary Asset scan settings Compliance standards
KMS_KEY_NOT_ROTATED

Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey

Fix this finding

Checks resource metadata for the existence of rotationPeriod or nextRotationTime properties.

  • Assets excluded from scans: Asymmetric keys and keys with disabled or destroyed primary versions
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 1.8

PCI-DSS v3.2.1: 3.5

NIST 800-53: SC-12

ISO-27001: A.10.1.2

KMS_PROJECT_HAS_OWNER

Finding description: A user has Owner permissions on a project that has cryptographic keys.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks the IAM policy in project metadata for principals assigned roles/Owner.

  • Additional inputs: Reads cryptokeys for a project from storage, filing findings only for projects with cryptokeys
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only on changes to IAM policy, not on changes to KMS keys

PCI-DSS v3.2.1: 3.5

NIST 800-53: AC-6, SC-12

ISO-27001: A.9.2.3, A.10.1.2

KMS_PUBLIC_KEY

Finding description: A Cloud KMS cryptographic key is publicly accessible.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey
cloudkms.googleapis.com/KeyRing

Fix this finding

Checks the IAM policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 1.9

TOO_MANY_KMS_USERS

Finding description: There are more than three users of cryptographic keys.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey

Fix this finding

Checks IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.
  • Additional inputs: Reads cryptokey versions for a cryptokey from storage, filing findings only for keys with active versions. The detector also reads key ring, project, and organization IAM policies from storage
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

PCI-DSS v3.2.1: 3.5.2

ISO-27001: A.9.2.3

Logging vulnerability findings

Vulnerabilities of this detector type all relate to logging configurations, and belong to the LOGGING_SCANNER detector type.

Table 10. Logging scanner
Detector Summary Asset scan settings Compliance standards
AUDIT_LOGGING_DISABLED

Finding description: Audit logging has been disabled for this resource.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks the IAM policy in resource metadata for the existence of an auditLogConfigs object.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only on project IAM policy change, not on folder or organization changes

CIS GCP Foundation 1.0: 2.1

CIS GCP Foundation 1.1: 2.1

PCI-DSS v3.2.1: 10.1, 10.2

NIST 800-53: AC-2, AU-2

ISO-27001: A.12.4.1, A.16.1.7

BUCKET_LOGGING_DISABLED

Finding description: There is a storage bucket without logging enabled.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks whether the logBucket field in the bucket's logging property is empty.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GCP Foundation 1.0: 5.3
LOCKED_RETENTION_POLICY_NOT_SET

Finding description: A locked retention policy is not set for logs.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks whether the isLocked field in the bucket's retentionPolicy property is set to true.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 2.3

PCI-DSS v3.2.1: 10.5

NIST 800-53: AU-11

ISO-27001: A.12.4.2, A.18.1.3

LOG_NOT_EXPORTED

Finding description: There is a resource that doesn't have an appropriate log sink configured.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Retrieves a logSink object in a project, checking that the includeChildren field is set to true, the destination field includes the location to write logs to, and the filter field is populated.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only on project changes, not if log export is set up on folder or organization

CIS GCP Foundation 1.0: 2.2

CIS GCP Foundation 1.1: 2.2

ISO-27001: A.18.1.3

OBJECT_VERSIONING_DISABLED

Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks whether the enabled field in the bucket's versioning property is set to true.

  • Assets excluded from scans: Cloud Storage buckets with a locked retention policy
  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only if object versioning changes, not if log buckets are created

CIS GCP Foundation 1.0: 2.3

PCI-DSS v3.2.1: 10.5

NIST 800-53: AU-11

ISO-27001: A.12.4.2, A.18.1.3

Monitoring vulnerability findings

Vulnerabilities of this detector type all relate to monitoring configurations, and belong to the MONITORING_SCANNER type. All Monitoring detector finding properties include:

  • The RecommendedLogFilter to use in creating the log metrics.
  • The QualifiedLogMetricNames that cover the conditions listed in the recommended log filter.
  • TheAlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
Table 11. Monitoring scanner
Detector Summary Asset scan settings Compliance standards
AUDIT_CONFIG_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*, and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.5

CIS GCP Foundation 1.1: 2.5

BUCKET_IAM_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions". The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.10

CIS GCP Foundation 1.1: 2.10

CUSTOM_ROLE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to resource.type="iam_role" AND protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole". The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.6

CIS GCP Foundation 1.1: 2.6

FIREWALL_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC Network Firewall rule changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.delete"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.7

CIS GCP Foundation 1.1: 2.7

NETWORK_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC network changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_network" AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.9

CIS GCP Foundation 1.1: 2.9

OWNER_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to (protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"), and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.4

CIS GCP Foundation 1.1: 2.4

ROUTE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.8

CIS GCP Foundation 1.1: 2.8

SQL_INSTANCE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Checks whether the filter property of the project's LogsMetric resource is set to protoPayload.methodName="cloudsql.instances.update" OR protoPayload.methodName="cloudsql.instances.create" OR protoPayload.methodName="cloudsql.instances.delete", and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud's operations suite account information from Google Cloud's operations suite, filing findings only for projects with active accounts
  • Batch scans: Every 12 hours
  • Real-time scans: Yes, but only on project changes, not on log metrics and alert changes

CIS GCP Foundation 1.0: 2.11

CIS GCP Foundation 1.1: 2.11

Multi-factor authentication findings

The MFA_SCANNER detector identifies vulnerabilities related to multi-factor authentication for users.

Table 12. Multi-factor authentication scanner
Detector Summary Asset scan settings Compliance standards
MFA_NOT_ENFORCED

There are users who aren't using 2-step verification.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.

  • Assets excluded from scans: Organization units granted exceptions to the policy
  • Additional inputs: Reads data from Google Workspace
  • Batch scans: Every 12 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 1.2

CIS GCP Foundation 1.1: 1.2

PCI-DSS v3.2.1: 8.3

NIST 800-53: IA-2

ISO-27001: A.9.4.2

Network vulnerability findings

Vulnerabilities of this detector type all relate to an organization's network configurations, and belong to theNETWORK_SCANNERtype.

Table 13. Network scanner
Detector Summary Asset scan settings Compliance standards
DEFAULT_NETWORK

Finding description: The default network exists in a project.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network

Fix this finding

Checks whether the name property in network metadata is set to default

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.1

CIS GCP Foundation 1.1: 3.1

LEGACY_NETWORK

Finding description: A legacy network exists in a project.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network

Fix this finding

Checks network metadata for existence of the IPv4Range property.

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.2

CIS GCP Foundation 1.1: 3.2

Organization Policy vulnerability findings

Vulnerabilities of this detector type all relate to configurations of Organization Policy constraints, and belong to the ORG_POLICY type.

Table 14. Org policy scanner
Detector Summary Asset scan settings Compliance standards
ORG_POLICY_CONFIDENTIAL_VM_POLICY Finding description: A Compute Engine resource is out of compliance with the constraints/compute.restrictNonConfidentialComputing organization policy. For more information about this org policy constraint, see Enforcing organization policy constraints in Confidential VM.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Checks whether the enableConfidentialCompute property of a Compute Engine instance is set to true.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: permissions/orgpolicy.policy.get
  • Additional inputs: Reads the effective org policy from the org policy service
  • Batch scans: Every 12 hours
  • Real-time scans: No
ORG_POLICY_LOCATION_RESTRICTION Finding description: A Compute Engine resource is out of compliance with the constraints/gcp.resourceLocations constraint. For more information about this org policy constraint, see Enforcing organization policy constraints.

Pricing tier: Premium

Supported assets
See below

Fix this finding

Checks the listPolicy property in the metadata of supported resources for a list of allowed or denied locations.

  • Additional IAM permissions: permissions/orgpolicy.policy.get
  • Additional inputs: Reads the effective org policy from the org policy service
  • Batch scans: Every 12 hours
  • Real-time scans: No

Supported assets for ORG_POLICY_LOCATION_RESTRICTION

Compute Engine
compute.googleapis.com/Autoscaler
compute.googleapis.com/Address
compute.googleapis.com/Commitment
compute.googleapis.com/Disk
compute.googleapis.com/ForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Image
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/InstanceGroupManager
compute.googleapis.com/InterconnectAttachment
compute.googleapis.com/NetworkEndpointGroup
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/PacketMirroring
compute.googleapis.com/RegionBackendService
compute.googleapis.com/RegionDisk
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Reservation
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.google.apis.com/TargetHttpsProxy
compute.googleapis.com/TargetInstance
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetVpnGateway
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnGateway
compute.googleapis.com/VpnTunnel

Cloud Storage
storage.googleapis.com/Bucket

Cloud KMS
cloudkms.googleapis.com/CryptoKey1
cloudkms.googleapis.com/CryptoKeyVersion1
cloudkms.googleapis.com/ImportJob2
cloudkms.googleapis.com/KeyRing1

Dataproc
dataproc.googleapis.com/Cluster

BigQuery
bigquery.googleapis.com/Dataset

Dataflow
dataflow.googleapis.com/Job3

Cloud SQL
sqladmin.googleapis.com/Instance

Cloud Composer
composer.googleapis.com/Environment

Logging
logging.googleapis.com/LogBucket

Pub/Sub
pubsub.googleapis.com/Topic

Vertex AI
aiplatform.googleapis.com/BatchPredictionJob
aiplatform.googleapis.com/CustomJob
aiplatform.googleapis.com/DataLabelingJob
aiplatform.googleapis.com/Dataset
aiplatform.googleapis.com/Endpoint
aiplatform.googleapis.com/HyperparameterTuningJob
aiplatform.googleapis.com/Model
aiplatform.googleapis.com/SpecialistPool
aiplatform.googleapis.com/TrainingPipeline

Artifact Registry
artifactregistry.googleapis.com/Repository

1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed.

2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys.

3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data.

Pub/Sub vulnerability findings

Vulnerabilities of this detector type all relate to Pub/Sub configurations, and belong to the PUBSUB_SCANNER type.

Table 15. Pub/Sub scanner
Detector Summary Asset scan settings Compliance standards
PUBSUB_CMEK_DISABLED

Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
pubsub.googleapis.com/Topic

Fix this finding

Checks the kmsKeyName field for the resource name of your CMEK.

  • Batch scans: Every 6 hours
  • Real-time scans: No

SQL vulnerability findings

Vulnerabilities of this detector type all relate to Cloud SQL configurations, and belong to the SQL_SCANNER type.

Table 16. SQL scanner
Detector Summary Asset scan settings Compliance standards
AUTO_BACKUP_DISABLED

Finding description: A Cloud SQL database doesn't have automatic backups enabled.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks whether the backupConfiguration.enabled property of an Cloud SQL data is set to true.

  • Assets excluded from scans: Cloud SQL replicas
  • Additional inputs: Reads IAM policies for ancestors from Security Health Analytics asset storage
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.7

NIST 800-53: CP-9

ISO-27001: A.12.3.1

PUBLIC_SQL_INSTANCE

Finding description: A Cloud SQL database instance accepts connections from all IP addresses.

Pricing tier: Premium or Standard

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks whether the authorizedNetworks property of Cloud SQL instances is set to a single IP address or an IP address range.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 6.2

CIS GCP Foundation 1.1: 6.5

PCI-DSS v3.2.1: 1.2.1

NIST 800-53: CA-3, SC-7

ISO-27001: A.8.2.3, A.13.1.3, A.14.1.3

SSL_NOT_ENFORCED

Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL.

Pricing tier: Premium or Standard

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks whether the requireSsl property of the Cloud SQL instance is set to true.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 6.1

CIS GCP Foundation 1.1: 6.4

PCI-DSS v3.2.1: 4.1

NIST 800-53: SC-7

ISO-27001: A.8.2.3, A.13.2.1, A.14.1.3

SQL_CMEK_DISABLED

Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the kmsKeyName field in the diskEncryptionKey object, in instance metadata, for the resource name of your CMEK.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
SQL_CONTAINED_DATABASE_AUTHENTICATION

Finding description: The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair, "name": "contained database authentication", "value": "on" or whether it is enabled by default.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.3.2

SQL_CROSS_DB_OWNERSHIP_CHAINING

Finding description: The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "cross_db_ownership_chaining", "value": "on".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.3.1

SQL_LOCAL_INFILE

Finding description: The local_infile database flag for a Cloud SQL for MySQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "local_infile", "value": "on".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.1.2

SQL_LOG_CHECKPOINTS_DISABLED

Finding description: The log_checkpoints database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_checkpoints", "value": "on".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.1

SQL_LOG_CONNECTIONS_DISABLED

Finding description: The log_connections database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_connections", "value": "on".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.2

SQL_LOG_DISCONNECTIONS_DISABLED

Finding description: The log_disconnections database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_disconnections", "value": "on".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.3

SQL_LOG_LOCK_WAITS_DISABLED

Finding description: The log_lock_waits database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_lock_waits", "value": "on".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.4

SQL_LOG_MIN_DURATION_STATEMENT_ENABLED

Finding description: The log_min_duration_statement database flag for a Cloud SQL for PostgreSQL instance is not set to "-1".

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_min_duration_statement", "value": "-1".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.7

SQL_LOG_MIN_ERROR_STATEMENT

Finding description: The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks whether the log_min_error_statement field of the databaseFlags property is set to one of the following values: debug5, debug4, debug3, debug2, debug1, info, notice, warning, or the default value error.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.5

SQL_LOG_TEMP_FILES

Finding description: The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0".

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_temp_files", "value": "0".

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.2.6

SQL_NO_ROOT_PASSWORD

Finding description: A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks whether the rootPassword property of the root account is empty.

  • Additional IAM permissions: roles/cloudsql.client
  • Additional inputs: Queries live instances
  • Batch scans: Every 6 hours
  • Real-time scans: No

CIS GCP Foundation 1.0: 6.3

CIS GCP Foundation 1.1: 6.1.1

PCI-DSS v3.2.1: 2.1

NIST 800-53: AC-3

ISO-27001: A.8.2.3, A.9.4.2

SQL_PUBLIC_IP

Finding description: A Cloud SQL database has a public IP address.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Checks whether the IP address type of an Cloud SQL database is set to Primary, indicating it is public.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.1: 6.6

SQL_WEAK_ROOT_PASSWORD

Finding description: A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compares the password for the root account of your Cloud SQL database to a list of common passwords.

  • Additional IAM permissions: roles/cloudsql.client
  • Additional inputs: Queries live instances
  • Batch scans: Every 6 hours
  • Real-time scans: No

Storage vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Storage Buckets configurations, and belong to theSTORAGE_SCANNERtype.

Table 17. Storage scanner
Detector Summary Asset scan settings Compliance standards
BUCKET_CMEK_DISABLED

Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks the encryption field in bucket metadata for the resource name of your CMEK.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
BUCKET_POLICY_ONLY_DISABLED

Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks whether the uniformBucketLevelAccess property on a bucket is set to "enabled":false

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
PUBLIC_BUCKET_ACL

Finding description: A Cloud Storage bucket is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks the IAM policy of a bucket for public roles, allUsers or allAuthenticatedUsers, with admin or editor privileges.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 5.1

CIS GCP Foundation 1.1: 5.1

PCI-DSS v3.2.1: 7.1

NIST 800-53: AC-2

ISO-27001: A.8.2.3, A.14.1.3

PUBLIC_LOG_BUCKET

Finding description: A storage bucket used as a log sink is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Checks the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Batch scans: Every 6 hours
  • Real-time scans: Yes, but only if IAM policy on bucket changes, not if log sink is changed

PCI-DSS v3.2.1: 10.5

NIST 800-53: AU-9

ISO-27001: A.8.2.3, A.12.4.2, A.18.1.3

Subnetwork vulnerability findings

Vulnerabilities of this detector type all relate to an organization's subnetwork configurations, and belong to theSUBNETWORK_SCANNERtype.

Table 18. Subnetwork scanner
Detector Summary Asset scan settings Compliance standards
FLOW_LOGS_DISABLED

Finding description: There is a VPC subnetwork that has flow logs disabled.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Subnetwork

Fix this finding

Checks whether the enableFlowLogs property of Compute Engine subnetworks is missing or set to false.

  • Assets excluded from scans: Serverless VPC Access, load balancer subnetworks
  • Batch scans: Every 6 hours
  • Real-time scans: Yes

CIS GCP Foundation 1.0: 3.9

CIS GCP Foundation 1.1: 3.8

PCI-DSS v3.2.1: 10.1, 10.2

NIST 800-53: SI-4

ISO-27001: A.13.1.1

PRIVATE_GOOGLE_ACCESS_DISABLED

Finding description: There are private subnetworks without access to Google public APIs.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket
compute.googleapis.com/Subnetwork

Fix this finding

Checks whether the privateIpGoogleAccess property of Compute Engine subnetworks is set to false.

  • Batch scans: Every 6 hours
  • Real-time scans: Yes
CIS GCP Foundation 1.0: 3.8

VM Manager

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.

If you enable VM Manager and are subscribed to Security Command Center Premium, VM Manager writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in operating systems installed on VMs, including Common Vulnerabilities and Exposures (CVEs).

Vulnerability reports are not available for Security Command Center Standard.

Findings simplify the process of using VM Manager's Patch Compliance feature, which is in preview. The feature lets you conduct patch management at the organization level across all of your projects. Currently, VM Manager supports patch management at the single project level.

VM Manager findings

Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.

Table 19. VM Manager vulnerability reports
Detector Summary Asset scan settings Compliance standards
OS_VULNERABILITY

Finding description: VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

VM Manager's vulnerability reports detail vulnerabilities in installed operating system packages for Compute Engine VMs, including Common Vulnerabilities and Exposures (CVEs).

  • Assets excluded from scans: SUSE Linux Enterprise Server (SLES), Windows operating systems
  • Findings appear in Security Command Center shortly after vulnerabilities are detected. Vulnerability reports in VM Manager are generated as follows:

    • For most vulnerabilities in the installed OS package, the OS Config API generates a vulnerability report within a few minutes of the change.
    • For CVEs, the OS Config API generates the vulnerability report within three to four hours after the CVE is published to the OS.

Remediating VM Manager findings

An OS_VULNERABILITY finding indicates that VM Manager found a vulnerability in the installed operating system packages in a Compute Engine VM.

To remediate this finding, do the following:

  1. Go to the Findings page in Security Command Center.

    Go to Findings

  2. Next to View by, select Source type.

  3. In the Source type list, select VM Manager.

    The table populates with findings for the source type you selected.

  4. Under category, click the name of a finding.

  5. In the Finding details panel, select Source properties.

  6. To learn more about the vulnerability, note the following fields:

    1. properties: contains a description of the vulnerability and mitigation options
    2. severity: the risk level assigned to the finding
    3. vulnerability: contains a link to a public CVE repository with more details on the vulnerability
    4. references: contains additional information links, including to industry sources
    5. id: the CVE ID, for example, CVE-2021-33200; you can use the ID to filter findings and find other VMs impacted by this CVE
  7. To create a patch job for the OS in the Cloud Console, click the link in external_uri.

    For instructions on deploying patches, see OS patch management.

Learn about this finding type's supported assets and scan settings.

Disabling VM Manager vulnerability reports

To stop vulnerability reports from being written to Security Command Center, you can disable the OS Config service API for your projects.

  1. Go to OS Config API page in the Cloud Console.

    Go to OS Config API

  2. If necessary, select your project.

  3. Click Disable API, and then in the dialog, click Disable.

Web Security Scanner findings

Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

Table 20. Web Security Scanner findings
Category Finding description OWASP 2017 Top 10 OWASP 2021 Top 10
ACCESSIBLE_GIT_REPOSITORY A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository. A5 A01
ACCESSIBLE_SVN_REPOSITORY An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository. A5 A01
CLEAR_TEXT_PASSWORD Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network. A3 A02
INVALID_CONTENT_TYPE A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set `X-Content-Type-Options` HTTP header with the correct value. A6 A05
INVALID_HEADER A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly. A6 A05
MISMATCHING_SECURITY_HEADER_VALUES A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly. A6 A05
MISSPELLED_SECURITY_HEADER_NAME A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly. A6 A05
MIXED_CONTENT Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS. A6 A05
OUTDATED_LIBRARY A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version. A9 A06
SERVER_SIDE_REQUEST_FORGERY A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to. Not applicable A10
XSS A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data. A7 A03
XSS_ANGULAR_CALLBACK A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework. A7 A03
XSS_ERROR A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data. A7 A03

CIS benchmarks

The Center for Internet Security (CIS) includes the following benchmarks that Web Security Scanner or Security Health Analytics detectors, currently, don't support:

Table 21. CIS benchmarks
Category Finding description CIS GCP Foundation 1.0 NIST 800-53 ISO-27001
BASIC_AUTHENTICATION_ENABLED IAM or client certificate authentication should be enabled on Kubernetes Clusters. 7.10
CLIENT_CERT_AUTHENTICATION_DISABLED Kubernetes Clusters should be created with Client Certificate enabled. 7.12
LABELS_NOT_USED Labels can be used to break down billing information. 7.5
PUBLIC_STORAGE_OBJECT Storage object ACL should not grant access to **allUsers**. 5.2
SQL_BROAD_ROOT_LOGIN Root access to a SQL database should be limited to allowlisted trusted IPs. 6.4

What's next