Stay organized with collections
Save and categorize content based on your preferences.
This page contains a list of the Google Cloud security sources that are
available in Security Command Center. When you enable a security source, it provides
vulnerabilities and threat findings to Security Command Center.
You can view findings in the Google Cloud console and filter them
in many different ways, such as by finding type, resource type, or for
a specific asset. Each security source might provide more filters to
help you organize your findings.
The IAM roles for Security Command Center can be granted at the organization,
folder, or project level. Your ability to view, edit, create, or update findings, assets,
and security sources depends on the level for which you are granted access. To learn
more about Security Command Center roles, see Access control.
Vulnerabilities
Vulnerability detectors can help you find potential weaknesses in your
Google Cloud resources.
GKE security posture dashboard
The GKE security posture dashboard is a page in the
Google Cloud console that provides you with opinionated, actionable findings
about potential security issues in your GKE clusters.
If you enable any of the following GKE security posture dashboard
features, you'll see the findings in the Security Command Center Standard tier or
the Premium tier:
The findings display information about the security issue and provide
recommendations to resolve the issues in your workloads or clusters.
IAM recommender
IAM recommender
issues recommendations that you can follow to improve security by removing
or replacing IAM roles from principals when the roles contain
IAM permissions that the principal does not need.
Enable or disable IAM recommender findings
To enable or disable IAM recommender findings in Security Command Center,
follow these steps:
Go to the Integrated services tab of the Security Command Center
Settings page in the Google Cloud console:
If necessary, scroll down to the IAM recommender entry.
To the right of the entry, select Enable or Disable.
Findings from IAM recommender are classified as vulnerabilities.
To remediate IAM recommender a finding, expand the following section
to see a table of the IAM recommender findings.
The remediation steps for each finding are included in the table entry.
IAM recommender detectors
IAM recommender findings
Detector
Summary
IAM role has excessive permissions
Category name in the API: IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS
Finding description:
IAM recommender detected a service account that has one or more
IAM roles that give excessive permissions to the user account.
Use IAM recommender to apply the recommended fix for this finding by following
these steps:
In Next steps section of the finding details in the Google Cloud console,
copy and paste the URL for the IAM page into a browser
address bar and press Enter. The IAM page loads.
Near the top of the IAM page on the right side, click
View recommendations in table. The recommendations are displayed in a table.
In the Security insights column, click any recommendation that relates to
excess permissions. The recommendation details panel opens.
Review the recommendation for the actions that you can take to resolve the issue.
Click Apply.
After the issue is fixed, IAM recommender updates the status of the finding
to INACTIVE within 24 hours.
Service agent role replaced with basic role
Category name in the API: SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE
Finding description:
IAM recommender detected that the original default IAM
role granted to a service agent was replaced with one of the basic IAM
roles: Owner, Editor, or Viewer. Basic roles are excessively
permissive legacy roles and should not be granted to service agents.
Use IAM recommender to apply the recommended fix for this finding by following
these steps:
In Next steps section of the finding details in the Google Cloud console,
copy and paste the URL for the IAM page into a browser
address bar and press Enter. The IAM page loads.
Near the top of the IAM page on the right side, click
View recommendations in table. The recommendations are displayed in a table.
In the Security insights column, click any permission that relates to
excess permissions. The recommendation details panel opens.
Review the excess permissions.
Click Apply.
After the issue is fixed, IAM recommender updates the status of the finding
to INACTIVE within 24 hours.
Service agent granted basic role
Category name in the API: SERVICE_AGENT_GRANTED_BASIC_ROLE
Finding description:
IAM recommender detected IAM that a service agent was granted
one of the basic IAM roles: Owner, Editor, or
Viewer. Basic roles are excessively permissive legacy roles and should not
be granted to service agents.
Use IAM recommender to apply the recommended fix for this finding by following
these steps:
In Next steps section of the finding details in the Google Cloud console,
copy and paste the URL for the IAM page into a browser
address bar and press Enter. The IAM page loads.
Near the top of the IAM page on the right side, click
View recommendations in table. The recommendations are displayed in a table.
In the Security insights column, click any permission that relates to
excess permissions. The recommendation details panel opens.
Review the excess permissions.
Click Apply.
After the issue is fixed, IAM recommender updates the status of the finding
to INACTIVE within 24 hours.
Unused IAM role
Category name in the API: UNUSED_IAM_ROLE
Finding description:
IAM recommender detected a user account that has an
IAM role that has not been used in the last 90 days.
Use IAM recommender to apply the recommended fix for this finding by following
these steps:
In Next steps section of the finding details in the Google Cloud console,
copy and paste the URL for the IAM page into a browser
address bar and press Enter. The IAM page loads.
Near the top of the IAM page on the right side, click
View recommendations in table. The recommendations are displayed in a table.
In the Security insights column, click any permission that relates to
excess permissions. The recommendation details panel opens.
Review the excess permissions.
Click Apply.
After the issue is fixed, IAM recommender updates the status of the finding
to INACTIVE within 24 hours.
View IAM recommender findings in the console
In the Google Cloud console, you can view the findings that are
issued by IAM recommender either on the
Vulnerabilities
page by selecting the IAM recommender query preset or on the
Findings
page by selecting IAM Recommender in the Source display name section
of the Quick filters panel.
Policy Controller
Policy Controller
enables the application and enforcement of programmable policies
for your Kubernetes clusters. These policies act as guardrails and can help
with best practices, security, and compliance management of your clusters and
fleet.
If you install Policy Controller,
and enable either the CIS Kubernetes Benchmark v1.5.1 or the PCI-DSS v3.2.1
Policy Controller bundles, or both, Policy Controller automatically writes
cluster violations to Security Command Center as Misconfiguration class
findings. The finding description and next steps in the Security Command Center
findings are the same as the constraint description and remediation steps
of the corresponding Policy Controller bundle.
The Policy Controller findings come from the following Policy Controller bundles:
PCI-DSS v3.2.1,
a bundle which evaluates the compliance of your cluster resources against
some aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1.
You can also view information about this bundle in the
GitHub repository for pci-dss-v3.
Rapid Vulnerability Detection runs managed scans that detect so-called
"N-day" vulnerabilities, known exploits that allow arbitrary data access
and remote code execution, including weak credentials, incomplete software
installations, and exposed administrator user interfaces.
Security Health Analytics managed
vulnerability assessment scanning for Google Cloud can automatically
detect common vulnerabilities and misconfigurations across:
Cloud Monitoring and Cloud Logging
Compute Engine
Google Kubernetes Engine containers and networks
Cloud Storage
Cloud SQL
Identity and Access Management (IAM)
Cloud Key Management Service (Cloud KMS)
Cloud DNS
Security Health Analytics is automatically enabled when you select the
Security Command Center Standard or Premium tier. Security Health Analytics detectors
monitor a subset of resources from
Cloud Asset Inventory,
using batch, real-time, and mixed-mode scans.
To view a complete list of Security Health Analytics detectors and findings, see the
Security Health Analytics findings page,
or expand the following section.
Security Health Analytics detectors
This section describes the detector types, supported assets, compliance
standards, and specific vulnerability finding types that
Security Health Analytics can generate. You can filter findings by detector name and
finding type using the Security Command Center Vulnerabilities page
in the Google Cloud console. Available finding categories include:
Security Health Analytics findings by high-level category
Security Command Center
monitors your compliance with detectors that are mapped to the controls of a wide
variety of security standards.
For each supported security standard,
Security Command Center
checks a subset of the controls.
For the controls checked, Security Command Center shows you how many are passing. For the
controls that are not passing, Security Command Center shows you a list of findings that
describe the control failures.
CIS reviews and certifies the mappings of
Security Command Center
detectors to each supported
version of the CIS Google Cloud Foundations Benchmark. Additional compliance
mappings are included for reference purposes only.
Security Command Center
adds support for new benchmark versions and standards periodically. Older
versions remain supported, but are eventually deprecated.
We recommend that you use the latest supported benchmark or standard available.
With the
security posture service,
you can map organization policies and Security Health Analytics detectors to the standards and
controls that apply to your business.
After you create a security posture, you can monitor for
any changes to the environment that could affect your business's compliance.
Retrieves the restrictions property of all
API keys in a project, checking whether
browserKeyRestrictions,
serverKeyRestrictions,
androidKeyRestrictions, or
iosKeyRestrictions is set.
Real-time scans: Yes
API key exists
Category name in the API: API_KEY_EXISTS
Finding description:
A project is using API keys instead of standard
authentication.
This finding category is not mapped to any compliance standard controls.
Checks the IAM allow policy in resource
metadata for the principals allUsers or
allAuthenticatedUsers, which grant public access.
Real-time scans: Yes
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to
Compute Engine instance configurations.
COMPUTE_INSTANCE_SCANNER detectors don't report findings on
Compute Engine instances created by GKE. Such instances have names that
start with "gke-", which users cannot edit. To secure these instances, refer to the
Container vulnerability findings section.
Table 4. Compute instance scanner
Detector
Summary
Asset scan settings
Confidential Computing disabled
Category name in the API: CONFIDENTIAL_COMPUTING_DISABLED
Finding description:
Confidential Computing is disabled on a Compute Engine instance.
Checks the metadata.items[] object
in instance metadata for the key-value
pair "key": "block-project-ssh-keys", "value":
TRUE.
Assets excluded from scans: GKE
instances, Dataflow job, Windows instance
Additional IAM permissions:
roles/compute.Viewer
Additional inputs: Reads metadata from
Compute Engine
Real-time scans: No
Compute Secure Boot disabled
Category name in the API: COMPUTE_SECURE_BOOT_DISABLED
Finding description:
This Shielded VM does not have Secure Boot
enabled. Using Secure Boot helps protect virtual machine
instances against advanced threats such as rootkits and
bootkits.
This finding category is not mapped to any compliance standard controls.
Checks the shieldedInstanceConfig property on
Compute Engine instances to determine if
enableSecureBoot is set to true. This detector
checks
whether attached disks are compatible with Secure Boot and Secure Boot is enabled.
Assets excluded from scans: GKE
instances, Compute Engine disks that have GPU
accelerators and don't use Container-Optimized OS,
Serverless VPC Access
Real-time scans: Yes
Compute serial ports enabled
Category name in the API: COMPUTE_SERIAL_PORTS_ENABLED
Finding description:
Serial ports are enabled for an instance, allowing
connections to the instance's serial console.
Checks the serviceAccounts property in
instance metadata for any service account email addresses
with the prefix
PROJECT_NUMBER-compute@developer.gserviceaccount.com,
indicating the Google-created default service account.
Assets excluded from scans: GKE
instances, Dataflow jobs
Real-time scans: Yes
Disk CMEK disabled
Category name in the API: DISK_CMEK_DISABLED
Finding description: Disks on this VM are not encrypted with customer-
managed encryption keys (CMEK). This detector requires additional configuration to
enable. For instructions, see
Enable and disable detectors.
This finding category is not mapped to any compliance standard controls.
Checks the kmsKeyName field in the
diskEncryptionKey object, in disk metadata, for the resource name
of your CMEK.
Assets excluded from scans: Disks related to
Cloud Composer environments, Dataflow jobs, and GKE
instances
Real-time scans: Yes
Disk CSEK disabled
Category name in the API: DISK_CSEK_DISABLED
Finding description:
Disks on this VM are not encrypted with Customer Supplied
Encryption Keys (CSEK). This detector requires additional
configuration to enable. For instructions, see
Special-case detector.
Retrieves the scopes field in the
serviceAccounts property to check whether a
default service account is used and if it is assigned the
cloud-platform scope.
Assets excluded from scans: GKE
instances, Dataflow jobs
Real-time scans: Yes
HTTP load balancer
Category name in the API: HTTP_LOAD_BALANCER
Finding description:
An instance uses a load balancer that is configured to
use a target HTTP proxy instead of a target HTTPS
proxy.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Determines if the selfLink property of the
targetHttpProxy resource matches the
target attribute in the forwarding rule, and
if the forwarding rule contains a
loadBalancingScheme field set to
External.
Additional IAM permissions:
roles/compute.Viewer
Additional inputs: Reads forwarding rules for a target
HTTP proxy from Compute Engine, checking for
external rules
Real-time scans: Yes
IP forwarding enabled
Category name in the API: IP_FORWARDING_ENABLED
Finding description:
IP forwarding is enabled on instances.
Checks whether the canIpForward property
of the instance is set to true.
Assets excluded from scans: GKE
instances, Serverless VPC Access
Real-time scans: Yes
OS login disabled
Category name in the API: OS_LOGIN_DISABLED
Finding description:
OS Login is disabled on this instance.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks the commonInstanceMetadata.items[]
object in project metadata for
the key-value pair, "key": "enable-oslogin",
"value": TRUE.
The detector also checks all instances in a Compute Engine
project to determine whether OS Login is disabled for
individual instances.
Assets excluded from scans: GKE
instances, instances related to Dataflow jobs
Additional IAM permissions:
roles/compute.Viewer
Additional inputs: Reads metadata from
Compute Engine. The detector also examines Compute Engine instances in the
project
Real-time scans: No
Public IP address
Category name in the API: PUBLIC_IP_ADDRESS
Finding description:
An instance has a public IP address.
Checks the shieldedInstanceConfig property in
Compute Engine instances to determine if the
enableIntegrityMonitoring and enableVtpm
fields are set to true. The fields
indicate whether Shielded VM is turned on.
Assets excluded from scans: GKE
instances and
Serverless VPC Access
Real-time scans: Yes
Weak SSL policy
Category name in the API: WEAK_SSL_POLICY
Finding description:
An instance has a weak SSL policy.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether sslPolicy in asset metadata is empty or is using the
Google Cloud default policy and, for the attached sslPolicies
resource, whether profile is set to Restricted or
Modern, minTlsVersion is set to TLS 1.2, and
customFeatures is empty or does not contain the following ciphers:
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA.
Additional IAM permissions:
roles/compute.Viewer
Additional inputs: Reads SSL policies for target proxies
storage, checking for weak policies
Real-time scans: Yes, but only when the TargetHttpsProxy
of the TargetSslProxy is updated, not when the SSL policy
gets updated
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER detector type.
Table 5. Container scanner
Detector
Summary
Asset scan settings
Alpha cluster enabled
Category name in the API: ALPHA_CLUSTER_ENABLED
Finding description:
Alpha cluster features are enabled for a GKE cluster.
Checks the management property of
a node pool for the key-value pair, "key":"autoRepair", "value":true.
Real-time scans: Yes
Auto upgrade disabled
Category name in the API: AUTO_UPGRADE_DISABLED
Finding description:
A GKE cluster's auto upgrade feature, which
keeps clusters and node pools on the latest stable
version of Kubernetes, is disabled.
Checks the management property of
a node pool for the key-value pair, "key":"autoUpgrade", "value":true.
Real-time scans: Yes
Binary authorization disabled
Category name in the API: BINARY_AUTHORIZATION_DISABLED
Finding description:
Binary Authorization is either disabled on the GKE cluster or the
Binary Authorization policy is configured to allow all images to be deployed.
Checks whether the monitoringService
property of a cluster contains the location
Cloud Monitoring should use to write metrics.
Real-time scans: Yes
Cluster private Google access disabled
Category name in the API: CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED
Finding description:
Cluster hosts are not configured to use only private,
internal IP addresses to access Google APIs.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks the shieldedNodes property for the key-value pair "enabled":
true.
Real-time scans: Yes
COS not used
Category name in the API: COS_NOT_USED
Finding description:
Compute Engine VMs aren't using the
Container-Optimized OS that is designed for running
Docker containers on Google Cloud securely.
Checks the networkPolicy field of
the addonsConfig property for the
key-value pair, "disabled": true.
Real-time scans: Yes
Nodepool boot CMEK disabled
Category name in the API: NODEPOOL_BOOT_CMEK_DISABLED
Finding description: Boot disks in this node pool are not encrypted
with customer-managed encryption keys (CMEK). This detector requires additional
configuration to enable. For instructions, see
Enable and disable detectors.
Checks whether the access scope listed in the
config.oauthScopes property of a node pool is
a limited service account access scope:
https://www.googleapis.com/auth/devstorage.read_only,
https://www.googleapis.com/auth/logging.write,
or
https://www.googleapis.com/auth/monitoring.
Real-time scans: Yes
Pod security policy disabled
Category name in the API: POD_SECURITY_POLICY_DISABLED
Finding description:PodSecurityPolicy is disabled on a
GKE cluster.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks the podSecurityPolicyConfig
property of a cluster for the key-value pair,
"enabled": false.
Additional IAM permissions:
roles/container.clusterViewer
Additional inputs: Reads cluster information from
GKE, because pod security policies are a
Beta feature. Kubernetes has officially deprecated PodSecurityPolicy in version 1.21.
PodSecurityPolicy will be shut down in version 1.25. For information about
alternatives, refer to
PodSecurityPolicy deprecation.
Real-time scans: No
Private cluster disabled
Category name in the API: PRIVATE_CLUSTER_DISABLED
Finding description:
A GKE cluster has a Private cluster
disabled.
Checks whether the workloadIdentityConfig
property of a cluster is set. The detector also checks
whether the workloadMetadataConfig property of
a node pool is set to GKE_METADATA.
Additional IAM permissions:
roles/container.clusterViewer
Real-time scans: Yes
Dataproc vulnerability findings
Vulnerabilities of this detector type all relate to Dataproc and belong to the
DATAPROC_SCANNER detector type.
Table 6. Dataproc scanner
Detector
Summary
Asset scan settings
Dataproc CMEK disabled
Category name in the API: DATAPROC_CMEK_DISABLED
Finding description:
A Dataproc cluster was created without an encryption configuration
CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that
Google Cloud uses to encrypt your data, giving you more control over access to your
data.
This detector requires additional configuration to enable. For instructions, see
Enable and disable detectors.
Checks whether the kmsKeyName field in the
encryptionConfiguration property is empty.
Real-time scans: Yes
Dataproc image outdated
Category name in the API: DATAPROC_IMAGE_OUTDATED
Finding description:
A Dataproc cluster was created with a Dataproc image version
that is impacted by security vulnerabilities in the Apache Log4j 2 utility
(CVE-2021-44228
and CVE-2021-45046).
This finding category is not mapped to any compliance standard controls.
Checks whether the softwareConfig.imageVersion field in the
config
property of a Cluster is earlier than 1.3.95 or is a subminor image version earlier
than 1.4.77, 1.5.53, or 2.0.27.
Real-time scans: Yes
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER detector type.
Table 7. Dataset scanner
Detector
Summary
Asset scan settings
BigQuery table CMEK disabled
Category name in the API: BIGQUERY_TABLE_CMEK_DISABLED
Finding description:
A BigQuery table is not configured to use a
customer-managed encryption key (CMEK). This detector requires additional configuration
to enable. For instructions, see
Enable and disable detectors.
Checks whether the kmsKeyName field in the
encryptionConfiguration property is empty.
Real-time scans: Yes
Dataset CMEK disabled
Category name in the API: DATASET_CMEK_DISABLED
Finding description:
A BigQuery dataset is not configured to use a default
CMEK. This detector requires additional configuration
to enable. For instructions, see
Enable and disable detectors.
Checks whether the
defaultKeySpecs.algorithm object of the
dnssecConfig property is set to rsasha1.
Real-time scans: Yes
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER detector type.
Table 9. Firewall scanner
Detector
Summary
Asset scan settings
Egress deny rule not set
Category name in the API: EGRESS_DENY_RULE_NOT_SET
Finding description:
An egress deny rule is not set on a firewall. Egress deny
rules should be set to block unwanted outbound
traffic.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the destinationRanges property in the firewall is set to
0.0.0.0/0 and the denied property contains the key-value pair,
"IPProtocol": "all".
Additional inputs: Reads egress firewalls for a project
from storage
Real-time scans: Yes, but only on project changes, not
firewall rule changes
Firewall rule logging disabled
Category name in the API: FIREWALL_RULE_LOGGING_DISABLED
Finding description:
Firewall rule logging is disabled. Firewall rule logging
should be enabled so you can audit network access.
Checks the sourceRanges and allowed properties for one of two
configurations:
The sourceRanges property contains 0.0.0.0/0 and the
allowed property contains a combination of rules that includes any
protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22
The sourceRanges property contains a combination of IP ranges that
includes any non-private IP address and the allowed property contains a
combination of rules that permit either all tcp ports or all udp ports.
Checks whether the allowed property in
firewall metadata contains the following protocol and
port: TCP:23.
Real-time scans: Yes
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Identity and Access Management (IAM)
configuration, and belong to the IAM_SCANNER detector type.
Table 10. IAM Scanner
Detector
Summary
Asset scan settings
Access Transparency disabled
Category name in the API: ACCESS_TRANSPARENCY_DISABLED
Finding description:
Google Cloud Access Transparency is disabled for your organization. Access Transparency
logs when Google Cloud employees access the projects in your organization to
provide support. Enable Access Transparency to log who from Google Cloud is
accessing your information, when, and why.
Checks the IAM allow policy in resource
metadata for any user-created service accounts (indicated
by the prefix iam.gserviceaccount.com),
that are assigned roles/Owner or
roles/Editor, or a role ID that contains
admin.
Assets excluded from scans: Container Registry
service account
(containerregistry.iam.gserviceaccount.com)
and Security Command Center service account
(security-center-api.iam.gserviceaccount.com)
Real-time scans: Yes, unless the IAM
update is done on a folder
Essential Contacts Not Configured
Category name in the API: ESSENTIAL_CONTACTS_NOT_CONFIGURED
Finding description:
Your organization has not designated a person or group to receive notifications from
Google Cloud about important events such as attacks, vulnerabilities, and data incidents
within your Google Cloud organization. We recommend that you designate as an
Essential Contact one or more persons or groups in your business organization.
Checks that a contact is specified for the following essential contact categories:
Legal
Security
Suspension
Technical
Real-time scans: No
KMS role separation
Category name in the API: KMS_ROLE_SEPARATION
Finding description:
Separation of duties is not enforced, and a user exists
who has any of the following Cloud Key Management Service (Cloud KMS)
roles at the same time: CryptoKey Encrypter/Decrypter,
Encrypter, or Decrypter.
This finding isn't available for project-level activations.
Checks IAM allow policies in resource metadata
and retrieves principals assigned any of the following
roles at the same time:
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter, and
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer,
roles/cloudkms.signerVerifier,
roles/cloudkms.publicKeyViewer.
Real-time scans: Yes
Non org IAM member
Category name in the API: NON_ORG_IAM_MEMBER
Finding description:
There is a user who isn't using organizational
credentials. Per CIS GCP Foundations 1.0, currently,
only identities with @gmail.com email addresses
trigger this detector.
This finding category is not mapped to any compliance standard controls.
Checks the IAM
policy in resource
metadata for any bindings
containing a member (principal) that's prefixed with group. If the
group is an open group, Security Health Analytics generates this finding.
Additional inputs: Reads
Google Groups
metadata to check whether the group identified is an open group.
Real-time scans: No
Over privileged service account user
Category name in the API: OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
Finding description:
A user has the Service Account User or
Service Account Token Creator role at
the project level, instead of for a specific service account.
Checks the IAM allow policy in resource
metadata for any principals assigned
roles/iam.serviceAccountUser or
roles/iam.serviceAccountTokenCreator at the
project level.
Assets excluded from scans: Cloud Build service
accounts
Real-time scans: Yes
Primitive roles used
Category name in the API: PRIMITIVE_ROLES_USED
Finding description:
A user has one of the following basic roles:
Owner (roles/owner)
Editor (roles/editor)
Viewer (roles/viewer)
These roles are too permissive and shouldn't be used.
Checks the IAM allow policy in resource
metadata for principals assigned
roles/redis.admin,
roles/redis.editor,
roles/redis.viewer at the organization or
folder level.
Real-time scans: Yes
Service account role separation
Category name in the API: SERVICE_ACCOUNT_ROLE_SEPARATION
Finding description:
A user has been assigned the Service Account Admin and
Service Account User roles. This violates the "Separation
of Duties" principle.
This finding isn't available for project-level activations.
Checks resource metadata for the existence of
rotationPeriod or
nextRotationTime properties.
Assets excluded from scans: Asymmetric keys and keys
with disabled or destroyed primary versions
Real-time scans: Yes
KMS project has owner
Category name in the API: KMS_PROJECT_HAS_OWNER
Finding description:
A user has Owner permissions on a project that has
cryptographic keys.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks the IAM allow policy in resource
metadata for the principals allUsers or
allAuthenticatedUsers, which grant public access.
Real-time scans: Yes
Too many KMS users
Category name in the API: TOO_MANY_KMS_USERS
Finding description:
There are more than three users of cryptographic keys.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks IAM allow policies for key rings,
projects, and organizations, and retrieves principals with
roles that allow them to encrypt, decrypt or sign data using
Cloud KMS keys: roles/owner,
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter,
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer, and
roles/cloudkms.signerVerifier.
Additional inputs: Reads cryptokey versions for a cryptokey
from storage, filing findings only for keys with active
versions. The detector also reads key ring, project, and organization
IAM allow policies from storage
Real-time scans: Yes
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER detector type.
Table 12. Logging scanner
Detector
Summary
Asset scan settings
Audit logging disabled
Category name in the API: AUDIT_LOGGING_DISABLED
Finding description:
Audit logging has been disabled for this resource.
This finding isn't available for project-level activations.
Checks whether the logBucket field in the
bucket's logging property is empty.
Real-time scans: Yes
Locked retention policy not set
Category name in the API: LOCKED_RETENTION_POLICY_NOT_SET
Finding description:
A locked retention policy is not set for logs.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the isLocked field in the
bucket's retentionPolicy property is set to
true.
Additional inputs: Reads the log sink (the log filter and log
destination) for a bucket to determine whether it is a
log bucket
Real-time scans: Yes
Log not exported
Category name in the API: LOG_NOT_EXPORTED
Finding description:
There is a resource that doesn't have an appropriate log
sink configured.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Retrieves a logSink object in a project,
checking that the includeChildren field is set
to true, the destination field
includes the location to write logs to, and the
filter field is populated.
Additional inputs: Reads the log sink (the log filter and log
destination) for a bucket to determine whether it is a
log bucket
Real-time scans: Yes, but only on project changes, not
if log export is set up on folder or organization
Object versioning disabled
Category name in the API: OBJECT_VERSIONING_DISABLED
Finding description:
Object versioning isn't enabled on a storage bucket where
sinks are configured.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the enabled field in the
bucket's versioning property is set to
true.
Assets excluded from scans: Cloud Storage
buckets with a locked retention policy
Additional inputs: Reads the log sink (the log filter and log
destination) for a bucket to determine whether it is a
log bucket
Real-time scans: Yes, but only if object versioning
changes, not if log buckets are created
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER type. All Monitoring detector finding
properties include:
The RecommendedLogFilter to use in creating the log metrics.
The QualifiedLogMetricNames that cover the conditions listed in the
recommended log filter.
TheAlertPolicyFailureReasonsthat indicate if the project does not have
alert policies created for any of the qualified log metrics or the existing
alert policies don't have the recommended settings.
Table 13. Monitoring scanner
Detector
Summary
Asset scan settings
Audit config not monitored
Category name in the API: AUDIT_CONFIG_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor Audit
Configuration changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*,
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Bucket IAM not monitored
Category name in the API: BUCKET_IAM_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
Cloud Storage IAM permission changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gcs_bucket AND
protoPayload.methodName="storage.setIamPermissions".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Custom role not monitored
Category name in the API: CUSTOM_ROLE_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
Custom Role changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="iam_role" AND
(protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Firewall not monitored
Category name in the API: FIREWALL_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
Virtual Private Cloud (VPC) Network Firewall rule changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.delete").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Network not monitored
Category name in the API: NETWORK_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
VPC network changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Owner not monitored
Category name in the API: OWNER_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
Project Ownership assignments or changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee) OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"),
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Route not monitored
Category name in the API: ROUTE_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
VPC network route changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
SQL instance not monitored
SQL_INSTANCE_NOT_MONITORED
Finding description:
Log metrics and alerts aren't configured to monitor
Cloud SQL instance configuration changes.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="cloudsql.instances.update"
OR protoPayload.methodName="cloudsql.instances.create"
OR protoPayload.methodName="cloudsql.instances.delete",
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
Additional IAM permissions:
roles/monitoring.alertPolicyViewer
Additional inputs: Reads log metrics for the project from
storage.
Reads Google Cloud Observability account information from
Google Cloud Observability, filing findings only for
projects with active accounts
Real-time scans: Yes, but only on project changes, not
on log metrics and alert changes
Multi-factor authentication findings
The MFA_SCANNER detector identifies vulnerabilities related to multi-factor
authentication for users.
Table 14. Multi-factor authentication scanner
Detector
Summary
Asset scan settings
MFA not enforced
Category name in the API: MFA_NOT_ENFORCED
There are users who aren't using 2-Step Verification.
Google Workspace lets you specify an enrollment grace period for new users
during which they must enroll in 2-Step Verification. This detector does create findings for
users during the enrollment grace period.
This finding isn't available for project-level activations.
Evaluates identity management policies in organizations
and user settings for managed accounts in Cloud Identity.
Assets excluded from scans: Organization units
granted exceptions to the policy
Additional inputs: Reads data from
Google Workspace
Real-time scans: No
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNERtype.
Table 15. Network scanner
Detector
Summary
Asset scan settings
Default network
Category name in the API: DEFAULT_NETWORK
Finding description:
The default network exists in a project.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the name property in
network metadata is set to default
Assets excluded from scans: Projects where Compute Engine
API is disabled and Compute Engine resources are in a
frozen state
Real-time scans: Yes
DNS logging disabled
Category name in the API: DNS_LOGGING_DISABLED
Finding description:
DNS logging on a VPC network is not enabled.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks all policies that are
associated with a VPC network through the networks[].networkUrl
field, and looks for at least one policy that has enableLogging
set to true.
Assets excluded from scans: Projects where Compute Engine
API is disabled and Compute Engine resources are in a
frozen state
Real-time scans: Yes
Legacy network
Category name in the API: LEGACY_NETWORK
Finding description:
A legacy network exists in a project.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
Checks whether the enableLogging property
of the backend service on the load balancer is set to true.
Real-time scans: Yes
Organization Policy vulnerability findings
Vulnerabilities of this detector type all relate to configurations of
Organization Policy
constraints, and belong to the ORG_POLICY type.
Table 16. Org policy scanner
Detector
Summary
Asset scan settings
Org policy Confidential VM policy
Category name in the API: ORG_POLICY_CONFIDENTIAL_VM_POLICY
Finding description:
A Compute Engine resource is out of compliance with
the
constraints/compute.restrictNonConfidentialComputing
organization policy. For more information about this org
policy constraint, see
Enforcing organization policy
constraints in Confidential VM.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
This finding category is not mapped to any compliance standard controls.
Checks whether the
enableConfidentialCompute property of a
Compute Engine instance is set to true.
Assets excluded from scans: GKE
instances
Additional IAM permissions:
permissions/orgpolicy.policy.get
Additional inputs: Reads the effective org policy from the
org policy service
Real-time scans: No
Org policy location restriction
Category name in the API: ORG_POLICY_LOCATION_RESTRICTION
Finding description:
A Compute Engine resource is out of compliance with
the constraints/gcp.resourceLocations
constraint. For more information about this org policy
constraint, see Enforcing
organization policy constraints.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
1 Because Cloud KMS assets cannot be deleted, the
asset is not considered out-of-region if the asset's data has been
destroyed.
2 Because Cloud KMS import jobs have a controlled
lifecycle and cannot be terminated early, an ImportJob is not considered
out-of-region if the job is expired and can no longer be used to import
keys.
3 Because the lifecycle of Dataflow jobs
cannot be managed, a Job is not considered out-of-region once it has
reached a terminal state (stopped or drained), where it can no longer be
used to process data.
Pub/Sub vulnerability findings
Vulnerabilities of this detector type all relate to Pub/Sub
configurations, and belong to the PUBSUB_SCANNER type.
Table 17. Pub/Sub scanner
Detector
Summary
Asset scan settings
Pubsub CMEK disabled
Category name in the API: PUBSUB_CMEK_DISABLED
Finding description:
A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK).
This detector requires additional configuration
to enable. For instructions, see
Enable and disable detectors.
Checks whether the
automated_backup_policy.enabled property in the metadata of an
AlloyDB for PostgreSQL cluster is set to true.
Assets excluded from scans: AlloyDB for PostgreSQL secondary
clusters
Real-time scans: Yes
AlloyDB log min error statement severity
Category name in the API: ALLOYDB_LOG_MIN_ERROR_STATEMENT_SEVERITY
Finding description:
The log_min_error_statement database flag for an AlloyDB for PostgreSQL
instance is not set to error or another recommended value.
To ensure adequate coverage of message types in the logs, issues a finding if the
log_min_error_statement field of the databaseFlags property is
not set to one of the following values:
debug5, debug4, debug3, debug2,
debug1, info, notice, warning, or
the default value error.
Real-time scans: Yes
AlloyDB log min messages
Category name in the API: ALLOYDB_LOG_MIN_MESSAGES
Finding description:
The log_min_messages database flag for an AlloyDB for PostgreSQL instance
is not set to warning or another recommended value.
To ensure adequate coverage of message types in the logs, issues a finding if the
log_min_messages field of the databaseFlags property is not
set to one of the following values:
debug5, debug4, debug3,
debug2, debug1, info,
notice, or the default value warning.
Real-time scans: Yes
AlloyDB log error verbosity
Category name in the API: ALLOYDB_LOG_ERROR_VERBOSITY
Finding description:
The log_error_verbosity database flag for an AlloyDB for PostgreSQL
instance is not set to default or another recommended value.
To ensure adequate coverage of message types in the logs, issues a finding if the
log_error_verbosity field of the databaseFlags property is
not set to one of the following values: verbose or the default value
default.
Real-time scans: Yes
Auto backup disabled
Category name in the API: AUTO_BACKUP_DISABLED
Finding description:
A Cloud SQL database doesn't have automatic
backups enabled.
Checks whether the sslMode property of
the Cloud SQL instance is set to an approved SSL mode, either
ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED.
Real-time scans: Yes
SQL CMEK disabled
Category name in the API: SQL_CMEK_DISABLED
Finding description: A SQL database instance is not encrypted with
customer-managed encryption keys (CMEK). This detector requires additional configuration
to enable. For instructions, see
Enable and disable detectors.
Checks the databaseFlags property of instance metadata for the
key-value pair, "name": "contained database
authentication", "value": "on" or whether it is
enabled by default.
Real-time scans: Yes
SQL cross DB ownership chaining
Category name in the API: SQL_CROSS_DB_OWNERSHIP_CHAINING
Finding description:
The cross_db_ownership_chaining database
flag for a Cloud SQL for SQL Server instance is not set to
off.
Checks whether the log_min_error_statement field
of the databaseFlags property is set to
one of the following values:
debug5, debug4, debug3,
debug2, debug1, info,
notice, warning, or the default
value error.
Real-time scans: Yes
SQL log min error statement severity
Category name in the API: SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
Finding description:
The log_min_error_statement database flag for a
Cloud SQL for PostgreSQL instance does not have an appropriate severity level.
To ensure adequate coverage of message types in the logs, issues a finding if the
log_min_messages field of the databaseFlags property is not
set to one of the following values:
debug5, debug4, debug3,
debug2, debug1, info,
notice, or the default value warning.
Real-time scans: Yes
SQL log executor stats enabled
Category name in the API: SQL_LOG_EXECUTOR_STATS_ENABLED
Finding description:
The log_executor_stats database flag for a
Cloud SQL for PostgreSQL instance is not set to
off.
Checks the databaseFlags property of instance metadata for the key-value
pair "name": "log_temp_files", "value":
"0".
Real-time scans: Yes
SQL no root password
Category name in the API: SQL_NO_ROOT_PASSWORD
Finding description: A Cloud SQL database that has
a public IP address doesn't have a
password configured for the root account. This detector requires additional
configuration to enable. For instructions, see
Enable and disable detectors.
Checks the databaseFlags property of instance metadata for the key-value
pair "name": "user options", "value":
"" (empty).
Real-time scans: Yes
SQL weak root password
Category name in the API: SQL_WEAK_ROOT_PASSWORD
Finding description: A Cloud SQL database that has
a public IP address also has a weak password
configured for the root account. This detector requires additional configuration to
enable. For instructions, see
Enable and disable detectors.
This finding category is not mapped to any compliance standard controls.
Compares the password for the root account of your
Cloud SQL database to a list of common
passwords.
Additional IAM permissions:
roles/cloudsql.client
Additional inputs: Queries live instances
Real-time scans: No
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNERtype.
Table 19. Storage scanner
Detector
Summary
Asset scan settings
Bucket CMEK disabled
Category name in the API: BUCKET_CMEK_DISABLED
Finding description: A bucket is not encrypted with customer-managed
encryption keys (CMEK). This detector requires additional configuration to enable. For
instructions, see
Enable and disable detectors.
Checks whether the enableFlowLogs property
of Compute Engine subnetworks is missing or set to
false.
Assets excluded from scans:
Serverless VPC Access, load balancer subnetworks
Real-time scans: Yes
Flow logs settings not recommended
Category name in the API: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
Finding description:
For a VPC subnetwork, VPC Flow Logs is either off or is not
configured according to CIS Benchmark 1.3 recommendations.
This detector requires additional configuration to enable. For instructions, see
Enable and disable detectors.
Checks whether the enableFlowLogs property
of VPC subnetworks is missing or set to
false.
If VPC Flow Logs is enabled,
checks the Aggregation Interval property set to 5 SEC,
the Include metadata set to true,
the Sample rate to 100%.
Assets excluded from scans:
Serverless VPC Access, load balancer subnetworks
Real-time scans: Yes
Private Google access disabled
Category name in the API: PRIVATE_GOOGLE_ACCESS_DISABLED
Finding description:
There are private subnetworks without access to Google public
APIs.
Checks whether the privateIpGoogleAccess
property of Compute Engine subnetworks is set to
false.
Real-time scans: Yes
Security posture service
The security posture
service is a built-in service for the
Security Command Center Premium tier that lets you define, assess, and monitor the overall
status of your security in Google Cloud. It provides information about how
your environment aligns with the policies that you define in your security
posture.
The security posture service isn't related to the GKE
security posture dashboard, which only shows findings in GKE
clusters.
Security posture service findings
Security posture findings
Finding
Summary
SHA Canned Module Drifted
Category name in the API: SECURITY_POSTURE_DETECTOR_DRIFT
Finding description:
The security posture service detected a change to a Security Health Analytics detector that occurred outside of a posture update.
This finding requires that you accept the change or revert the change so that the detector settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics detector or you can update the posture and posture deployment.
To revert the change, update the Security Health Analytics detector in the Google Cloud console. For instructions, see Enable and disable detectors.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
Category name in the API: SECURITY_POSTURE_DETECTOR_DRIFT
Finding description:
The security posture service detected a change to a Security Health Analytics custom module that occurred outside of a posture update.
This finding requires that you accept the change or revert the change so that the custom module settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics custom module or you can update the posture and posture deployment.
To revert the change, update the Security Health Analytics custom module in the Google Cloud console. For instructions, see Update a custom module.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
Category name in the API: SECURITY_POSTURE_DETECTOR_DELETE
Finding description:
The security posture service detected that a Security Health Analytics
custom module was deleted. This deletion occurred outside of a posture update.
This finding requires that you accept the change or revert the change so that the custom module settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics custom module or you can update the posture and posture deployment.
To revert the change, update the Security Health Analytics custom module in the Google Cloud console. For instructions, see Update a custom module.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
This finding requires that you accept the change or revert the change so that the organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the organization policy or you can update the posture and posture deployment.
To revert the change, update the organization policy in the Google Cloud console. For instructions, see Creating and editing policies.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
Category name in the API: SECURITY_POSTURE_POLICY_DELETE
Finding description:
The security posture service detected that an organization policy was deleted. This deletion occurred outside of a posture update.
This finding requires that you accept the change or revert the change so that the organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the organization policy or you can update the posture and posture deployment.
To revert the change, update the organization policy in the Google Cloud console. For instructions, see Creating and editing policies.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
This finding requires that you accept the change or revert the change so that the custom organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the custom organization policy or you can update the posture and posture deployment.
To revert the change, update the custom organization policy in the Google Cloud console. For instructions, see Update a custom constraint.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
Category name in the API: SECURITY_POSTURE_POLICY_DELETE
Finding description:
The security posture service detected that a custom organization policy was deleted. This deletion occurred outside of a posture update.
This finding requires that you accept the change or revert the change so that the custom organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the custom organization policy or you can update the posture and posture deployment.
To revert the change, update the custom organization policy in the Google Cloud console. For instructions, see Update a custom constraint.
To accept the change, complete the following:
Update the posture.yaml file with the change.
Run the gcloud scc postures update command. For instructions, see Update a posture.
Sensitive Data Protection is a fully managed Google Cloud service that helps you
discover, classify, and protect your sensitive data. You can use
Sensitive Data Protection to determine whether you're storing sensitive or personally
identifiable information (PII), like the following:
Person names
Credit card numbers
National or state ID numbers
Health insurance ID numbers
Secrets
In Sensitive Data Protection, each type of sensitive data that you search for is called
an infoType.
If you configure your Sensitive Data Protection operation to send
results to Security Command Center, you can see the findings directly in the
Security Command Center section of the Google Cloud console, in addition to the
Sensitive Data Protection section.
Vulnerability findings from the Sensitive Data Protection discovery service
The Sensitive Data Protection discovery service helps you determine
whether your Cloud Functions environment variables contain secrets, such as
passwords, authentication tokens, and Google Cloud credentials. For a full list
of secret types that Sensitive Data Protection detects in this feature,
see Credentials and secrets.
Finding type
Finding description
Compliance standards
Secrets in environment variables
Category name in the API: SECRETS_IN_ENVIRONMENT_VARIABLES
This detector checks for secrets in Cloud Functions environment variables.
From the time you turn on secrets discovery in Sensitive Data Protection, it
can take up to 12 hours for the initial scan of environment variables to
complete. Subsequently, Sensitive Data Protection scans environment variables
every 24 hours. In practice, scans can run more frequently than that.
Observation findings from Sensitive Data Protection
This section describes the observation findings that Sensitive Data Protection generates in Security Command Center.
Observation findings from the discovery service
The Sensitive Data Protection discovery service helps you determine whether your
BigQuery data contains specific infoTypes and where they reside in your
organization, folders, and projects.
A discovery operation generates profiles of the underlying BigQuery
data at the project, table, and column levels. Each table data profile generates
the following finding categories in Security Command Center:
Data sensitivity
An indication of the sensitivity level of the data in a particular table.
Data is sensitive if it contains PII or other elements that might require
additional control or management. The severity of the finding is the
sensitivity level that Sensitive Data Protection
calculated when
generating the data profile.
Data risk
The risk associated with the data in its current state. When calculating data
risk, Sensitive Data Protection considers the sensitivity level of the data in the
table and the presence of access controls to protect that data. The
severity of the finding is the data risk level that
Sensitive Data Protection
calculated when generating
the data profile.
From the time Sensitive Data Protection generates the data profiles, it can
take up to six hours for the associated Data sensitivity and Data risk
findings to appear in Security Command Center.
For information on how to send data profile results to Security Command Center, see
one of the following:
Observation findings from the Sensitive Data Protection inspection service
A Sensitive Data Protection inspection job identifies each instance of data
of a specific infoType in a storage system like a Cloud Storage bucket or a
BigQuery table. For example, you can run an inspection job that
searches for all strings that match the CREDIT_CARD_NUMBER infoType detector
in a Cloud Storage bucket.
For each infoType detector that has one or more matches, Sensitive Data Protection
generates a corresponding Security Command Center finding. The finding category is
the name of the infoType detector that had a match—for example, Credit
card number. The finding includes the number of matching strings that were
detected in text or images in the resource.
For security reasons, the actual strings that were detected aren't included in
the finding. For example, a Credit card number finding shows how many
credit card numbers were found, but doesn't show the actual credit card numbers.
Because there are more than 150 built-in infoType detectors in
Sensitive Data Protection, all possible Security Command Center finding categories aren't
listed here. For a full list of infoType detectors, see InfoType detector
reference.
In the Quick filters section, in the Source display name
subsection, select Sensitive Data Protection.
The table is populated with Sensitive Data Protection findings.
To view details of a specific finding, click the finding name under
Category. The details panel for
the finding opens and displays the Summary tab.
On the Summary tab, review the information about the finding,
including information about what was detected, the resource that
was affected, and more.
VM Manager
VM Manager is a suite of tools that
can be used to manage operating systems for large virtual machine (VM) fleets
running Windows and Linux on Compute Engine.
To use VM Manager with project-level activations
of Security Command Center Premium, activate Security Command Center Standard
in the parent organization.
If you enable VM Manager with
the Security Command Center Premium tier, VM Manager
automatically writes high and critical findings from its vulnerability reports, which
are in preview, to Security Command Center. The reports identify vulnerabilities in
operating systems (OS) that are installed on VMs, including Common Vulnerabilities and
Exposures (CVEs).
Vulnerability reports are not available for Security Command Center Standard.
Findings simplify the process of using VM Manager's Patch
Compliance feature, which is in preview. The feature lets you conduct patch
management at the organization level across
all of your projects. Currently, VM Manager supports patch
management at the single project level.
Findings appear in Security Command Center shortly after vulnerabilities are detected.
Vulnerability reports in VM Manager are generated as follows:
For most vulnerabilities in the installed OS package, the OS Config
API generates a vulnerability report within a few minutes of the change.
For CVEs, the OS Config API generates the vulnerability report within three to
four hours after the CVE is published to the OS.
Web Security Scanner
Web Security Scanner
provides managed and custom web vulnerability scanning for public
App Engine, GKE, and Compute Engine serviced web
applications.
Managed scans
Web Security Scanner managed scans are configured and managed by
Security Command Center. Managed scans automatically run once each week to detect and
scan public web endpoints. These scans don't use authentication and they send
GET-only requests so they don't submit any forms on live websites.
Managed scans run separately from custom scans.
If Security Command Center is activated at the organization level,
you can use managed scans to centrally manage basic web application
vulnerability detection for projects in your organization, without having to
involve individual project teams. When findings are discovered, you can work
with those teams to set up more comprehensive custom scans.
When you enable Web Security Scanner as a service, managed scan findings are
automatically available in the Security Command Center Vulnerabilities page and
related reports. For information about how to enable Web Security Scanner
managed scans, see configuring Security Command Center.
Managed scans support only applications that use the default port, which is 80
for HTTP connections and 443 for HTTPS connections. If your applcation uses
a non-default port, do a custom scan instead.
Custom scans
Web Security Scanner custom scans provide granular information about
application vulnerability findings, like outdated libraries, cross-site
scripting, or use of mixed content.
Web Security Scanner supports categories in the
OWASP Top Ten,
a document that ranks and provides remediation guidance for the top 10 most
critical web application security risks, as determined by the Open Web
Application Security Project (OWASP). For guidance on mitigating OWASP risks,
see OWASP Top 10 mitigation options on Google Cloud.
The compliance mapping is included for reference and is not provided or reviewed
by the OWASP Foundation.
This functionality is only intended for you to monitor for compliance controls
violations. The mappings are not provided for use as the basis of, or as a
substitute for, the audit, certification, or report of compliance of your
products or services with any regulatory or industry benchmarks or standards.
Web Security Scanner custom and managed scans identify the following finding types.
In the Standard tier, Web Security Scanner supports custom scans of deployed applications
with public URLs and IPs that aren't behind a firewall.
Category
Finding description
OWASP 2017 Top 10
OWASP 2021 Top 10
Accessible Git repository
Category name in the API: ACCESSIBLE_GIT_REPOSITORY
A Git repository is exposed publicly. To resolve this finding, remove
unintentional public access to the GIT repository.
Category name in the API: INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION
A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header
before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this
finding, validate that the expected root domain is part of the Origin header value before
reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards,
prepend the dot to the root domain—for example, .endsWith(".google.com").
Category name in the API: INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION
A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header
before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this
finding, validate that the expected domain fully matches the Origin header value before
reflecting it in the Access-Control-Allow-Origin response header—for example,
.equals(".google.com").
A resource was loaded that doesn't match the response's Content-Type HTTP
header. To resolve this finding, set X-Content-Type-Options HTTP header
with the correct value.
Category name in the API: MISMATCHING_SECURITY_HEADER_VALUES
A security header has duplicated, mismatching values, which result in
undefined behavior. To resolve this finding, set HTTP security headers
correctly.
Category name in the API: SERVER_SIDE_REQUEST_FORGERY
A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an
allowlist to limit the domains and IP addresses that the web application can make requests to.
When making a cross-domain request, the web application includes the user's session identifier
in its Referer request header. This vulnerability gives the receiving domain access
to the session identifier, which can be used to impersonate or uniquely identify the user.
A potential SQL injection vulnerability was detected. To resolve this finding, use
parameterized queries to prevent user inputs from influencing the structure of the SQL query.
A field in this web application is vulnerable to a cross-site scripting
(XSS) attack. To resolve this finding, validate and escape untrusted
user-supplied data.
A user-provided string isn't escaped and AngularJS can interpolate it. To
resolve this finding, validate and escape untrusted user-supplied data
handled by Angular framework.
A field in this web application is vulnerable to a cross-site scripting
attack. To resolve this finding, validate and escape untrusted
user-supplied data.
Category name in the API: XXE_REFLECTED_FILE_LEAKAGE
An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to
leak a file on the host. To resolve this finding, configure your XML parsers to disallow
external entities.
Threat detectors can help you find potentially harmful events.
Anomaly Detection
Anomaly Detection is a built-in service that uses behavior signals from
outside your system. It displays granular information about security
anomalies detected for your projects and virtual machine (VM) instances, such
as potential leaked credentials. Anomaly Detection is
automatically enabled when you activate Security Command Center Standard or
Premium tier, and findings are available in the Google Cloud console.
Credentials for a Google Cloud service account are accidentally
leaked online or are compromised.
Severity: Critical
Account has leaked credentials
GitHub notified Security Command Center that the credentials
that were used for a commit appear to be the credentials for a
Google Cloud Identity and Access Management service account.
The notification includes the service account name and the private key
identifier. Google Cloud also sends your
designated contact for security and privacy
issues a notification by email.
To remediate this issue, take one or more of the following actions:
Identify the legitimate user of the key.
Rotate the key.
Remove the key.
Investigate any actions that were taken by the key after the
key was leaked to ensure that none of the actions were malicious.
Container Threat Detection can detect the most common container runtime attacks
and alert you in Security Command Center and optionally in Cloud Logging.
Container Threat Detection includes several detection capabilities, an analysis tool,
and an API.
Container Threat Detection detection instrumentation collects low-level behavior in the
guest kernel and performs natural language processing on scripts to detect the
following events:
Event Threat Detection uses log data from inside your systems. It watches
Cloud Logging stream for projects, and consumes
logs as they become available. When a threat is detected, Event Threat Detection
writes a finding to Security Command Center and to a Cloud Logging project.
Event Threat Detection is automatically enabled when you activate the
Security Command Center Premium tier and findings are available in the
Google Cloud console.
The following table lists examples of Event Threat Detection findings.
Table C. Event Threat Detection finding types
Data destruction
Event Threat Detection detects data destruction by examining audit logs from the Backup and DR Service Management Server for the following scenarios:
Deletion of a backup image
Deletion of all backup images associated with an application
Deletion of a backup/recovery appliance
Data exfiltration
Event Threat Detection detects data exfiltration from BigQuery and
Cloud SQL by examining audit logs for the following scenarios:
A BigQuery resource is saved outside of your
organization, or a copy operation is attempted that is blocked by
VPC Service Controls.
An attempt is made to access BigQuery resources that
are protected by VPC Service Controls.
A Cloud SQL resource is fully or partially exported to a
Cloud Storage bucket outside of your organization or to a bucket
that is owned by your organization and is publicly accessible.
A Cloud SQL backup is restored to a Cloud SQL
instance outside your organization.
A BigQuery resource that your organization owns
is exported to a Cloud Storage bucket outside your
organization, or to a bucket in your organization that is
publicly accessible.
A BigQuery resource that your organization owns is
exported to a Google Drive folder.
Cloud SQL suspicious activity
Event Threat Detection examines audit logs to detect the following events
that might indicate a compromise of a valid user account on
Cloud SQL instances:
A database user is granted all privileges to a
Cloud SQL for PostgreSQL database, or to all tables, procedures, or
functions in a schema.
A Cloud SQL default database account superuser (`postgres`
on PostgreSQL instances or 'root' on MySQL instances) is used to write
to non-system tables.
AlloyDB for PostgreSQL suspicious activity
Event Threat Detection examines audit logs to detect the following events
that might indicate a compromise of a valid user account on
AlloyDB for PostgreSQL instances:
A database user is granted all privileges to a
AlloyDB for PostgreSQL database, or to all tables, procedures, or
functions in a schema.
An AlloyDB for PostgreSQL default database account superuser
(`postgres`) is used to write to non-system tables.
Brute force SSH
Event Threat Detection detects brute force of password authentication SSH by
examining syslog logs for repeated failures followed by a success.
Cryptomining
Event Threat Detection detects coin mining malware by examining VPC flow logs
and Cloud DNS logs for connections to known bad domains or IP addresses
of mining pools.
IAM abuse
Anomalous IAM grants: Event Threat Detection detects the addition of
IAM grants that might be considered anomalous, like:
Adding a gmail.com user to a policy with the project editor
role.
Inviting a gmail.com user as a project owner from the
Google Cloud console.
Service account granting sensitive permissions.
Custom role granted sensitive permissions.
Service account added from outside your organization.
Inhibit System Recovery
Event Threat Detection detects anomalous changes to Backup and DR that may impact backup posture, including major policy changes and removal of critical Backup and DR components.
Log4j
Event Threat Detection detects possible attempts at Log4j exploitation and
active Log4j vulnerabilities.
Malware
Event Threat Detection detects malware by examining VPC flow logs and
Cloud DNS logs for connections to known command and control
domains and IPs.
Outgoing DoS
Event Threat Detection examines VPC flow logs to detect outgoing denial of
service traffic.
Anomalous access
Event Threat Detection detects anomalous access by examining
Cloud Audit Logs for Google Cloud service modifications that originated
from anonymous proxy IP addresses, like Tor IP addresses.
Anomalous IAM behavior
Event Threat Detection detects anomalous IAM behavior by examining
Cloud Audit Logs for the following scenarios:
IAM user and service accounts accessing Google Cloud from anomalous IP addresses.
IAM service accounts accessing Google Cloud from anomalous user agents.
Principals and resources impersonating IAM service accounts to access Google Cloud.
Service account self-investigation
Event Threat Detection detects when a service account credential is used to
investigate the roles and permissions associated with that same service
account.
Compute Engine Admin Added SSH Key
Event Threat Detection detects a modification to the Compute Engine instance metadata
ssh key value on an established instance (older than 1 week).
Compute Engine Admin Added Startup Script
Event Threat Detection detects a modification to the Compute Engine instance
metadata startup script value on an established instance (older than 1
week).
Suspicious account activity
Event Threat Detection detects potential compromise of Google Workspace
accounts by examining audit logs for anomalous account activities,
including leaked passwords and attempted suspicious logins.
Government-backed attack
Event Threat Detection examines Google Workspace audit logs to
detect when government-backed attackers might have tried to compromise a
user's account or computer.
Single sign-on (SSO) changes
Event Threat Detection examines Google Workspace audit logs to
detect when SSO is disabled or settings are changed for
Google Workspace admin accounts.
2-step verification
Event Threat Detection examines Google Workspace audit logs to
detect when 2-step verification is disabled on user and admin accounts.
Anomalous API behavior
Event Threat Detection detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal
has not seen before.
Defense Evasion
Event Threat Detection detects Defense Evasion by examining Cloud Audit Logs
for the following scenarios:
Changes to existing VPC Service Controls perimeters that would
lead to a reduction in the protection offered.
Deployments or updates to workloads that use the
break-glass flag to override Binary Authorization controls.Preview
Discovery
Event Threat Detection detects discovery operations by
examining audit logs for the following scenarios:
A potentially malicious actor attempted to determine what
sensitive objects in GKE they can
query for, by using the kubectl command.
A service account credential is being used to investigate the roles
and permissions associated with that same service account.
Initial Access
Event Threat Detection detects initial access operations by
examining audit logs for the following scenarios:
A principal attempted to invoke various
Google Cloud methods but failed repeatedly because of permission
denied errors.Preview
Privilege escalation
Event Threat Detection detects privilege escalation in GKE by
examining audit logs for the following scenarios:
To escalate privilege, a potentially malicious actor attempted to
modify a ClusterRole or ClusterRoleBinding
role-based access control (RBAC) object of the sensitive cluster-admin
role by using a PUT or PATCH request.
A potentially malicious actor created a Kubernetes master certificate
signing request (CSR), which gives them cluster-admin
access.
To escalate privilege, a potentially malicious actor attempted to create
a new RoleBinding or ClusterRoleBinding
object for the cluster-admin role.
A potentially malicious actor queried for a
certificate signing request (CSR), with the kubectl
command, using compromised bootstrap credentials.
A potentially malicious actor created a Pod that contains privileged
containers or containers with privilege escalation capabilities.
Cloud IDS detections
Cloud IDS detects layer 7 attacks by analyzing mirrored packets
and, when it detects a suspicious event, triggers an Event Threat Detection
finding. To learn more about Cloud IDS detections, see
Cloud IDS Logging information.
Preview
Lateral movement
Event Threat Detection detects potential modified-boot-disk attacks by examining Cloud Audit Logs for frequent boot disk detachments and re-attachments across Compute Engine instances.
Forseti Security gives you tools to understand all the resources you have in
Google Cloud. The core Forseti modules work together to provide
complete information so you can secure resources and minimize security risks.
Google Cloud Armor helps protect your
application by providing Layer 7 filtering. Google Cloud Armor scrubs incoming
requests for common web attacks or other Layer 7 attributes to potentially block
traffic before it reaches your load-balanced backend services or backend
buckets.
Google Cloud Armor exports two findings to Security Command Center:
Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, provides
threat detection through hypervisor-level instrumentation and persistent disk
analysis.
VM Threat Detection detects potentially malicious applications, such as
cryptocurrency mining software, kernel-mode rootkits, and malware running in
compromised cloud environments.
VM Threat Detection is part of Security Command Center Premium's threat detection
suite and is designed to complement the existing capabilities of Event Threat Detection and
Container Threat Detection.
Identifies a threat that was detected by both the
CRYPTOMINING_HASH and CRYPTOMINING_YARA modules.
For more information, see
Combined detections.
Kernel-mode rootkit threat findings
VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques
that are used by malware.
The KERNEL_MEMORY_TAMPERING
module detects threats by doing a hash comparison on the
kernel code and kernel read-only data memory of a virtual machine.
The KERNEL_INTEGRITY_TAMPERING module detects threats by checking
the integrity of important kernel data structures.
VM Threat Detection kernel-mode rootkit threat findings
Interrupt handlers that aren't in the expected kernel or module code regions are present.
Defense Evasion: Unexpected kernel modulesPreview
KERNEL_INTEGRITY_TAMPERING
Kernel code pages that are not in the expected kernel or module code regions are present.
Defense Evasion: Unexpected kprobe handlerPreview
KERNEL_INTEGRITY_TAMPERING
kprobe points are present with callbacks pointing to regions that are not in
the expected kernel or module code range.
Defense Evasion: Unexpected processes in runqueuePreview
KERNEL_INTEGRITY_TAMPERING
Unexpected processes in the scheduler run queue are present. Such processes are in the run
queue, but not in the process task list.
Defense Evasion: Unexpected system call handlerPreview
KERNEL_INTEGRITY_TAMPERING
System call handlers that aren't in the expected kernel or module code regions are present.
Rootkit
Defense Evasion: RootkitPreview
KERNEL_MEMORY_TAMPERING
KERNEL_INTEGRITY_TAMPERING
A combination of signals matching a known kernel-mode rootkit is present. To receive
findings of this category, make sure both modules are enabled.
VM Threat Detection observation finding
VM Threat Detection can generate the following observation finding.
VM Threat Detection observation finding
Category name
API name
Summary
Severity
VMTD disabled
VMTD_DISABLED
VM Threat Detection is disabled. Until you
enable
it, this service can't scan your Compute Engine projects
and VM instances for unwanted applications.
This finding is set to INACTIVE after 30 days. After that,
this finding isn't generated again.
High
Errors
Error detectors can help you detect errors in your configuration that prevent
security sources from generating findings. Error findings are generated by
the Security Command Center security source and
have the finding class SCC errors.
Inadvertent actions
The following finding categories represent errors possibly caused by unintentional actions.
Inadvertent actions
Category name
API name
Summary
Severity
API disabled
API_DISABLED
Finding description:
A required API is disabled for the project. The disabled service can't send findings to
Security Command Center.
Attack path simulation: no resource value configs match any resources
APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES
Finding description:Resource value configurations
are defined for attack path simulations, but they do
not match any resource instances in your environment. The simulations are using the
default high-value resource set instead.
This error can have any of the following causes:
None of the resource value configurations match any resource instances.
One or more resource value configurations that specify NONE override every
other valid configuration.
All the defined resource value configurations specify a value of NONE.
Attack path simulation: resource value assignment limit exceeded
APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED
Finding description:
In the last
attack path simulation,
the number of high-value resource instances, as identified by the
resource value configurations,
exceeded the limit of 1,000 resource instances in a high-value
resource set. As a result, Security Command Center excluded the excess number of
instances from the high-value resource set.
The total number of matching instances and the total number of instances excluded
from the set are identified in the SCC Error finding in the
Google Cloud console.
The attack exposure scores on any findings that affect excluded resource
instances do not reflect the high-value designation of the resource instances.
Finding description:
Container Threat Detection can't be enabled on the cluster because a required container
image can't be pulled (downloaded) from gcr.io, the
Container Registry image host. The image is
needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.
The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error:
Failed to pull image
"badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": rpc error:
code = NotFound desc = failed to pull and unpack image
"badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": failed to
resolve reference "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00":
badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00: not found
Container Threat Detection
Blocked By Admission Controller
KTD_BLOCKED_BY_ADMISSION_CONTROLLER
Finding description:
Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission
controller is preventing the deployment of a Kubernetes DaemonSet object that
Container Threat Detection requires.
When viewed in the Google Cloud console, the finding details include the
error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to
deploy a Container Threat Detection DaemonSet Object.
Container Threat
Detection service account missing permissions
KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description:
A service account is missing permissions that Container Threat Detection requires. Container Threat Detection
could stop functioning properly because the
detection instrumentation cannot be enabled, upgraded, or disabled.
Finding description:
Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the
GKE default service account on the cluster is missing permissions. This
prevents Container Threat Detection from being successfully enabled on the cluster.
Finding description:
The project configured for
continuous export to Cloud Logging is unavailable. Security Command Center
can't send findings to Logging.
Finding description:
Security Health Analytics can't produce certain findings for a project. The project is protected by a
service perimeter, and the
Security Command Center service account doesn't have access to the perimeter.