>

Enabling Security Health Analytics

This guide describes Security Health Analytics Google Cloud Platform native scanners that write security findings to Cloud Security Command Center (Cloud SCC). Findings from these scanners are searchable in the Cloud SCC dashboard and using the Cloud SCC API.

Before you begin

  • Security Health Analytics is not yet generally available, so you must be whitelisted to gain access. To sign up for the alpha, complete the Security Health Analytics Alpha Program form.
  • To enable Security Health Analytics, you must have the Organization Administrator Cloud Identity and Access Management (Cloud IAM) role. To learn more, see Access control for organizations.
  • To access the Cloud SCC dashboard, you must have the Security Center Admin Viewer Cloud IAM role.
  • To make changes to Cloud SCC, like adding marks, you must have an appropriate editor role, like Security Center Admin Editor.

Learn more about Cloud SCC roles.

Enabling Security Health Analytics

To enable Security Health Analytics, you'll add permissions to your Cloud SCC scanner service account. Follow the steps below for the method you want to use:

Console

To enable Security Health Analytics using the GCP Console:

  1. Go to the IAM & admin IAM page in the GCP Console.
    Go to the IAM page
  2. On the Project Selector drop-down list at the top of the page, select the organization for which you want to enable Security Health Analytics.
  3. At the top of the page, click Add.
  4. On the Add members panel that appears, under New members, enter organizations-[ORGANIZATION_ID]@cscc-scanner-mvp.iam.gserviceaccount.com.
  5. Use the Select a role drop-down list to add the following roles. After you add a role, click Add Another Role for each role:
    • Cloud Asset Viewer
    • Kubernetes Engine Cluster Viewer
    • Monitoring AlertPolicy Viewer
    • Logs Viewer
    • Cloud SQL Client
  6. When you're finished adding roles, click Save.

gcloud command-line tool

To enable Security Health Analytics using the gcloud command-line tool:

  1. Get your organization ID by running:
    gcloud organizations list
    This lists all of the organizations that you belong to. Note the organization ID for the organization for which you want to enable Security Health Analytics.
  2. Set the ORGANIZATION_ID value by running:
    ORGANIZATION_ID=[ORGANIZATION_ID]
  3. Grant the service account the appropriate roles for the following scanners:

    # For the storage scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com --role=roles/cloudasset.viewer
    # For the container scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/container.clusterViewer
    # For monitoring scanners using the monitoring API
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/monitoring.alertPolicyViewer
    # For monitoring scanners using the logging API
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/logging.viewer
    # For the MySQL password scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/cloudsql.client
    

For more information, see the Cloud SDK gcloud beta organizations add-iam-policy-binding documentation.

Viewing scanner findings

You can view scanner findings by findings category or by asset as described in the sections below.

Viewing by findings category

To view scanner findings, go to the Cloud SCC Findings page and enter category: [SCANNER_NAME] in the Filter box for the scanner category you want to view.

Compute Scanner

Category Finding description
FULL_API_ACCESS Indicates that an instance is configured to use the default service account with full access to all GCP APIs.
IP_FORWARDING_ENABLED Indicates that IP forwarding is enabled on Instances.

Container Scanner

Category Finding description
IP_ALIAS_DISABLED Indicates that a GKE Cluster was created with Alias IP ranges enabled.
LEGACY_AUTHORIZATION_ENABLED Indicates that Legacy Authorization is enabled on GKE Clusters.
MASTER_AUTHORIZED_NETWORKS_DISABLED Indicates that Master authorized networks is not enabled on GKE Clusters.
MONITORING_DISABLED Indicates that Stackdriver Monitoring is disabled on GKE Clusters.
NETWORK_POLICY_DISABLED Indicates that Network policy is disabled on GKE Clusters.
POD_SECURITY_POLICY_DISABLED Indicates that PodSecurityPolicy is disabled on a GKE Cluster.
PRIVATE_CLUSTER_DISABLED Indicates that a GKE Cluster has a Private cluster disabled.
WEB_UI_ENABLED Indicates that the GKE web UI (dashboard) is enabled.

DNS Scanner

Category Finding description
DNSSEC_DISABLED Indicates that DNSSEC is disabled for Cloud DNS zones.
RSASHA1_FOR_SIGNING Indicates that RSASHA1 is used for key signing in Cloud DNS zones.

IAM Scanner

Category Finding description
KMS_IAM_ROLE_SEPARATION Indicates that some users have Cloud IAM roles for Cloud Key Management Service (Cloud KMS) that don't follow good separation of duties.
NON_ORG_IAM_MEMBER Indicates that there are Gmail accounts with project or organization-level Cloud IAM permissions.

KMS Scanner

Category Finding description
KMS_KEY_NOT_ROTATED Indicates that rotation isn't configured on a Cloud KMS encryption key.

Monitoring Scanner

All Monitoring Scanner finding properties will include:

  • The RecommendedLogFilter to use in creating the log metrics.
  • The QualifiedLogMetricNames that cover the conditions listed in the recommended log filter.
  • The AlertPolicyFailureReasons that indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies do not have the recommended settings.
Category Finding description
AUDIT_CONFIG_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor Audit Configuration Changes.
BUCKET_IAM_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor Cloud Storage Cloud IAM permission changes.
CUSTOM_ROLE_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor Custom Role changes.
FIREWALL_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor VPC Network Firewall rule changes.
NETWORK_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor VPC network changes.
OWNER_ASSIGNMENT_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.
ROUTE_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor VPC network route changes.
SQL_INSTANCE_NOT_MONITORED Indicates that log metrics and alerts aren't configured to monitor SQL instance configuration changes.

Network Scanner

Category Finding description
DEFAULT_NETWORK Indicates that the default network exists in a project.
LEGACY_NETWORK Indicates that a legacy network exists in a project.

SQL Scanner

Category Finding description
NO_ROOT_PASSWORD Indicates that a Cloud SQL database doesn't have a password configured for the root account.
PUBLIC_SQL_INSTANCE Indicates that a Cloud SQL database instance accepts connections from all IP addresses.
SSL_NOT_ENFORCED Indicates that a Cloud SQL database instance doesn't require all incoming connections to use SSL.
WEAK_ROOT_PASSWORD Indicates that a Cloud SQL database has a weak password configured for the root account.

Note that you must provide an extra, explicit, written request through an email to enable the NO_ROOT_PASSWORD and WEAK_ROOT_PASSWORD finding types. These findings won't be on by default for the SQL scanner.

The WEAK_ROOT_PASSWORD detector uses a service account with the Cloud SQL Client role, which allows it to connect to the database. The scanner does blackbox scanning for weak or empty passwords by attempting to log in to the database.

If the SQL Scanner finds any weak or missing password, it logs a finding. The password isn't logged, and it isn't added to the finding. The scanner doesn't use the password or gain further access to the database.

Storage Scanner

Category Finding description
BUCKET_POLICY_ONLY_DISABLED Indicates Bucket Policy Only isn't configured.
LOGGING_DISABLED Indicates that logging is disabled for a Cloud Storage bucket.
PUBLIC_BUCKET_ACL Indicates that a Cloud Storage bucket is publicly accessible.

Viewing by asset

Findings for an asset are created in Cloud SCC after they're scanned. Note that it can take up to 24 hours after an asset has changed before updated security findings are displayed in the dashboard.

You can also view findings for a specific asset by viewing the Findings tab in asset details:

  1. Go to the Cloud SCC Assets page in the GCP Console.
    Go to the IAM page
  2. Under resource_properties.name, click the asset you want to view.
  3. On the asset page that appears, click the Findings tab.

Information about specific findings categories for that asset are displayed.

Whitelisting assets

You can whitelist assets so that a scanner doesn't create a security finding for the asset. If you whitelist an asset, the finding will be marked as resolved when the next scan runs. To whitelist an asset, add a security mark to the asset as described below:

Category Security mark to enable whitelisting
OPEN_FIREWALL allow_open_firewall_rule: true
PUBLIC_BUCKET_ACL allow_public_bucket_access: true

For every other finding type, use the security mark allow_[FINDING_TYPE]. For example, for SSL_NOT_ENFORCED, use the security mark allow_ssh_not_enforced: true.

Getting support

If you're whitelisted for the Security Health Analytics alpha and you need support, please email security-health-analytics-support@google.com.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.