Security Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.
Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.
Detectors and compliance
Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.
For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.
CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.
Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.
With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.
With Compliance Manager (Preview), you can deploy frameworks that map regulatory controls to cloud controls. After you create a framework, you can monitor for any changes to the environment that might affect your business's compliance and audit your environment.
For more information about managing compliance, see Assess and report compliance with security standards.
Supported security standards
Google Cloud
Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:
- Center for Information Security (CIS) Controls 8.0
- CIS Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
- CIS Kubernetes Benchmark v1.5.1
- Cloud Controls Matrix (CCM) 4
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO) 27001, 2022 and 2013
- National Institute of Standards and Technology (NIST) 800-53 R5 and R4
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.0
- Open Web Application Security Project (OWASP) Top Ten, 2021 and 2017
- Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
- System and Organization Controls (SOC) 2 2017 Trust Services Criteria (TSC)
AWS
Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:
- CIS Amazon Web Services Foundations 2.0.0
- CIS Critical Security Controls Version 8.0
- Cloud Controls Matrix (CCM) 4
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO) 27001, 2022
- National Institute of Standards and Technology (NIST) 800-53 R5
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.0
- Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
- System and Organization Controls (SOC) 2 2017 Trusted Services Criteria (TSC)
For instructions on viewing and exporting compliance reports, see Assess and report compliance with security standards.
Finding deactivation after remediation
After you remediate a vulnerability or misconfiguration finding, the
Security Command Center service that detected the finding automatically sets the
state of the finding to INACTIVE the next time the detection service scans for
the finding. How long Security Command Center takes to set a remediated finding to
INACTIVE depends on the schedule of the scan that detects the finding.
The Security Command Center services also set the state of a vulnerability or
misconfiguration finding to INACTIVE when a scan detects that the resource
that is affected by the finding is deleted.
For more information about scan intervals, see the following topics:
Security Health Analytics findings
Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.
For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.
The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes on the following Google Cloud console pages:
- Vulnerabilities page
- Risk Overview page > Vulnerabilities dashboard
For instructions on fixing findings and protecting your resources, see Remediating Security Health Analytics findings.
API key vulnerability findings
The API_KEY_SCANNER detector identifies vulnerabilities related to
API keys used in your cloud deployment.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
|
Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
|
Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves all API keys owned by a project.
|
|
Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the timestamp contained in the
|
Cloud Asset Inventory vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Asset Inventory
configurations and belong to the CLOUD_ASSET_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the Cloud Asset Inventory service is enabled.
|
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A Cloud Storage bucket is publicly accessible. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the IAM allow policy of a bucket for
public roles,
|
|
Finding description: A storage bucket used as a log sink is publicly accessible. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the IAM allow policy of a bucket for
the principals
|
Compute image vulnerability findings
The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to
Google Cloud image configurations.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A Compute Engine image is publicly accessible. Pricing tier: Premium or Standard
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the IAM allow policy in resource
metadata for the principals
|
Compute instance vulnerability findings
The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to
Compute Engine instance configurations.
COMPUTE_INSTANCE_SCANNER detectors don't report findings on
Compute Engine instances created by GKE. Such instances have names that
start with "gke-", which users cannot edit. To secure these instances, refer to the
Container vulnerability findings section.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: Confidential Computing is disabled on a Compute Engine instance. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Project-wide SSH keys are used, allowing login to all instances in the project. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. Pricing tier: Premium Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: An instance is configured to use the default service account. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
|
Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Determines if the
|
|
Finding description: OS Login is disabled on this instance. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets
Compliance standards:
|
Checks whether the
|
|
Finding description: IP forwarding is enabled on instances. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: OS Login is disabled on this project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: An instance has a public IP address. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: Shielded VM is disabled on this instance. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: An instance has a weak SSL policy. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether
|
Container vulnerability findings
These finding types all relate to GKE container configurations,
and belong to the CONTAINER_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: Alpha cluster features are enabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Binary Authorization is either disabled on the GKE cluster or the Binary Authorization policy is configured to allow all images to be deployed. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the following:
|
|
Finding description: Logging isn't enabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: Monitoring is disabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: Application-layer secrets encryption is disabled on a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Shielded GKE nodes are not enabled for a cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Integrity monitoring is disabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Intranode visibility is disabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A GKE cluster was created with alias IP ranges disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: Legacy Authorization is enabled on GKE clusters. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Legacy metadata is enabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Control Plane Authorized Networks is not enabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Network policy is disabled on GKE clusters. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Finding description: Secure Boot is disabled for a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A service account has overly broad project access in a cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Evaluates the
|
|
Finding description: A node service account has broad access scopes. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the access scope listed in the
config.oauthScopes property of a node pool is
a limited service account access scope:
https://www.googleapis.com/auth/devstorage.read_only,
https://www.googleapis.com/auth/logging.write,
or
https://www.googleapis.com/auth/monitoring.
|
|
Finding description: PodSecurityPolicy is disabled on a GKE cluster. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A GKE cluster has a Private cluster disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A GKE cluster is not subscribed to a release channel. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: The GKE web UI (dashboard) is enabled. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: Workload Identity is disabled on a GKE cluster. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Dataproc vulnerability findings
Vulnerabilities of this detector type all relate to Dataproc and belong to the
DATAPROC_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A Dataproc cluster was created without an encryption configuration CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). Pricing tier: Premium or Standard
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks whether the
|
Dataset vulnerability findings
Vulnerabilities of this detector type all relate to BigQuery Dataset
configurations, and belong to the DATASET_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A dataset is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for the principals
|
DNS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud DNS configurations,
and belong to the DNS_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: DNSSEC is disabled for Cloud DNS zones. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: RSASHA1 is used for key signing in Cloud DNS zones. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Firewall vulnerability findings
Vulnerabilities of this detector type all relate to firewall configurations, and
belong to the FIREWALL_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open Cassandra port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open DNS port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to be open to public access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open FTP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open HTTP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open LDAP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open MONGODB port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open MYSQL port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open NETBIOS port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open POP3 port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open RDP port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A firewall is configured to have an open REDIS port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A firewall is configured to have an open SMTP port that allows generic access. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A firewall is configured to have an open SSH port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A firewall is configured to have an open TELNET port that allows generic access. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
IAM vulnerability findings
Vulnerabilities of this detector type all relate to Identity and Access Management (IAM)
configuration, and belong to the IAM_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: Google Cloud Access Transparency is disabled for your organization. Access Transparency logs when Google Cloud employees access the projects in your organization to provide support. Enable Access Transparency to log who from Google Cloud is accessing your information, when, and why. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if your organization has Access Transparency enabled.
|
|
Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any user-created service accounts (indicated
by the prefix iam.gserviceaccount.com),
that are assigned
|
|
Finding description: Your organization has not designated a person or group to receive notifications from Google Cloud about important events such as attacks, vulnerabilities, and data incidents within your Google Cloud organization. We recommend that you designate as an Essential Contact one or more persons or groups in your business organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks that a contact is specified for the following essential contact categories:
|
|
Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks IAM allow policies in resource metadata
and retrieves principals assigned any of the following
roles at the same time:
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter, and
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer,
roles/cloudkms.signerVerifier,
roles/cloudkms.publicKeyViewer.
|
|
Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Compares @gmail.com email addresses in the
|
|
Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal. Pricing tier: Premium or Standard
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the IAM
policy in resource
metadata for any bindings
containing a member (principal) that's prefixed with group. If the
group is an open group, Security Health Analytics generates this finding.
|
|
Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any principals assigned
roles/iam.serviceAccountUser or
roles/iam.serviceAccountTokenCreator at the
project level.
|
|
Finding description: A user has one of the following basic roles:
These roles are too permissive and shouldn't be used. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any principals that are assigned a
|
|
Finding description: A Redis IAM role is assigned at the organization or folder level. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets
Compliance standards:
|
Checks the IAM allow policy in resource
metadata for principals assigned
|
|
Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for any principals assigned both
roles/iam.serviceAccountUser and
roles/iam.serviceAccountAdmin.
|
|
Finding description: A service account key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Evaluates the key creation timestamp captured in the
|
|
Finding description: A user manages a service account key. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
KMS vulnerability findings
Vulnerabilities of this detector type all relate to Cloud KMS
configurations, and belong to the KMS_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks resource metadata for the existence of
|
|
Finding description: A user has Owner permissions on a project that has cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in project
metadata for principals assigned
|
|
Finding description: A Cloud KMS cryptographic key is publicly accessible. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for the principals
|
|
Finding description: There are more than three users of cryptographic keys. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks IAM allow policies for key rings,
projects, and organizations, and retrieves principals with
roles that allow them to encrypt, decrypt or sign data using
Cloud KMS keys: roles/owner,
roles/cloudkms.cryptoKeyEncrypterDecrypter,
roles/cloudkms.cryptoKeyEncrypter,
roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.signer, and
roles/cloudkms.signerVerifier.
|
Logging vulnerability findings
Vulnerabilities of this detector type all relate to logging configurations, and
belong to the LOGGING_SCANNER detector type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: Audit logging has been disabled for this resource. This finding isn't available for project-level activations. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the IAM allow policy in resource
metadata for the existence of an
|
|
Finding description: There is a storage bucket without logging enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A locked retention policy is not set for logs. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: There is a resource that doesn't have an appropriate log sink configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets
Compliance standards:
|
Retrieves a
|
|
Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Monitoring vulnerability findings
Vulnerabilities of this detector type all relate to monitoring configurations,
and belong to the MONITORING_SCANNER type. All Monitoring detector finding
properties include:
-
The
RecommendedLogFilterto use in creating the log metrics. -
The
QualifiedLogMetricNamesthat cover the conditions listed in the recommended log filter. -
The
AlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*,
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type=gcs_bucket AND
protoPayload.methodName="storage.setIamPermissions".
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="iam_role" AND
(protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.delete").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor VPC network changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee) OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR
(protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND
protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"),
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert").
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
|
Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the filter property of the
project's LogsMetric resource is set to
protoPayload.methodName="cloudsql.instances.update"
OR protoPayload.methodName="cloudsql.instances.create"
OR protoPayload.methodName="cloudsql.instances.delete",
and if resource.type is specified, that the value is global.
The detector also searches for a corresponding
alertPolicy resource, checking that the
conditions and
notificationChannels properties are properly
configured.
|
Multi-factor authentication findings
The MFA_SCANNER detector identifies vulnerabilities related to multi-factor
authentication for users.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
There are users who aren't using 2-Step Verification. Google Workspace lets you specify an enrollment grace period for new users during which they must enroll in 2-Step Verification. This detector does create findings for users during the enrollment grace period. This finding isn't available for project-level activations. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.
|
Network vulnerability findings
Vulnerabilities of this detector type all relate to an organization's network
configurations, and belong to theNETWORK_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: The default network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: DNS logging on a VPC network is not enabled. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks all
|
|
Finding description: A legacy network exists in a project. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks network metadata for existence of the
|
|
Finding description: Logging is disabled for the load balancer. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Organization Policy vulnerability findings
Vulnerabilities of this detector type all relate to configurations of
Organization Policy
constraints, and belong to the ORG_POLICY type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description:
A Compute Engine resource is out of compliance with
the
constraints/compute.restrictNonConfidentialComputing
organization policy. For more information about this org
policy constraint, see
Enforcing organization policy
constraints in Confidential VM.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks whether the
|
|
Finding description:
A Compute Engine resource is out of compliance with
the constraints/gcp.resourceLocations
constraint. For more information about this org policy
constraint, see Enforcing
organization policy constraints.
For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Supported assets for ORG_POLICY_LOCATION_RESTRICTION
Compute Engine
GKE
Cloud Storage
Cloud KMS
Dataproc
BigQuery
Dataflow
Cloud SQL
Cloud Composer
Logging
Pub/Sub
Vertex AI
Artifact Registry 1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed. 2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys. 3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data. |
||
Pub/Sub vulnerability findings
Vulnerabilities of this detector type all relate to Pub/Sub
configurations, and belong to the PUBSUB_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
SQL vulnerability findings
The following sections describe vulnerability findings for AlloyDB for PostgreSQL and Cloud SQL.
AlloyDB for PostgreSQL vulnerability findings
Vulnerabilities of this detector type all relate to AlloyDB for PostgreSQL
configurations, and belong to the SQL_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: An AlloyDB for PostgreSQL cluster doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: An AlloyDB for PostgreSQL cluster doesn't have backups enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: An AlloyDB cluster is not encrypted with customer-managed encryption keys (CMEK). Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, generates a finding if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, generates a finding if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, generates a finding if the
|
|
Finding description: An AlloyDB for PostgreSQL database instance has a public IP address. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description: An AlloyDB for PostgreSQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
Cloud SQL vulnerability findings
Vulnerabilities of this detector type all relate to Cloud SQL
configurations, and belong to the SQL_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A Cloud SQL database doesn't have automatic backups enabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A Cloud SQL database instance accepts connections from all IP addresses. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL. Pricing tier: Premium or Standard
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
To ensure adequate coverage of message types in the logs, generates a finding if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A Cloud SQL database that has a public IP address doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: A Cloud SQL database has a public IP address. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the IP address type of an
Cloud SQL database is set to
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description:
The Pricing tier: Premium
Supported assets Compliance standards:
|
Checks the
|
|
Finding description: A Cloud SQL database that has a public IP address also has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Compares the password for the root account of your Cloud SQL database to a list of common passwords.
|
Subnetwork vulnerability findings
Vulnerabilities of this detector type all relate to an organization's subnetwork
configurations, and belong to theSUBNETWORK_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: There is a VPC subnetwork that has flow logs disabled. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: For a VPC subnetwork, VPC Flow Logs is either off or is not configured according to CIS Benchmark 1.3 recommendations. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
|
Finding description: There are private subnetworks without access to Google public APIs. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks whether the
|
AWS findings
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers. Pricing tier: Enterprise Compliance standards:
|
Ensure access to AWSCloudShellFullAccess is restricted
|
|
Finding description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. Pricing tier: Enterprise Compliance standards:
|
Ensure access keys are rotated every 90 days or less
|
|
Finding description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Pricing tier: Enterprise Compliance standards:
|
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
|
|
Finding description: This checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups. Pricing tier: Enterprise Compliance standards:
|
Checks that all autoscaling groups assoc with a load balancer use healthchecks
|
|
Finding description: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. Pricing tier: Enterprise Compliance standards:
|
Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
|
|
Finding description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. Pricing tier: Enterprise Compliance standards:
|
Ensure AWS Config is enabled in all regions
|
|
Finding description: Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. Pricing tier: Enterprise Compliance standards:
|
Ensure AWS Security Hub is enabled
|
|
Finding description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. Pricing tier: Enterprise Compliance standards:
|
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
|
|
Finding description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. Pricing tier: Enterprise Compliance standards:
|
Ensure CloudTrail log file validation is enabled
|
|
Finding description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution. Pricing tier: Enterprise Compliance standards:
|
Ensure CloudTrail trails are integrated with CloudWatch Logs
|
|
Finding description: This checks whether Amazon Cloudwatch has actions defined when an alarm transitions between the states 'OK', 'ALARM' and 'INSUFFICIENT_DATA'. Configuring actions for the ALARM state in Amazon CloudWatch alarms is very important to trigger an immediate response when monitored metrics breach thresholds. Alarms have at least one action. Pricing tier: Enterprise Compliance standards:
|
Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.
|
|
Finding description: This check ensures CloudWatch logs are configured with KMS. Log group data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption for the log data at rest. As an alternative, you can use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS key. Encryption using AWS KMS is enabled at the log group level, by associating a KMS key with a log group, either when you create the log group or after it exists. Pricing tier: Enterprise Compliance standards:
|
Checks that all log groups in Amazon CloudWatch Logs are encrypted with KMS
|
|
Finding description: This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the CloudWatchLogsLogGroupArn property of the trail is empty. CloudTrail records AWS API calls that are made in a given account. The recorded information includes the following:
CloudTrail uses Amazon S3 for log file storage and delivery. You can capture CloudTrail logs in a specified S3 bucket for long-term analysis. To perform real-time analysis, you can configure CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all of those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your AWS services. This recommendation does not preclude the use of a different solution. Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity. Pricing tier: Enterprise Compliance standards:
|
Checks that all CloudTrail trails are configured to send logs to AWS CloudWatch
|
|
Finding description: This checks whether the project contains the environment variables Authentication credentials Pricing tier: Enterprise Compliance standards:
|
Checks that all projects containing env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not in plaintext
|
|
Finding description: This checks whether an AWS CodeBuild project Bitbucket source repository URL contains personal access tokens or a user name and password. The control fails if the Bitbucket source repository URL contains personal access tokens or a user name and password. Sign-in credentials shouldn't be stored or transmitted in clear text or appear in the source repository URL. Instead of personal access tokens or sign-in credentials, you should access your source provider in CodeBuild, and change your source repository URL to contain only the path to the Bitbucket repository location. Using personal access tokens or sign-in credentials could result in unintended data exposure or unauthorized access. Pricing tier: Enterprise Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks that all projects using github or bitbucket as the source use oauth
|
|
Finding description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. Pricing tier: Enterprise Compliance standards:
|
Ensure credentials unused for 45 days or greater are disabled
|
|
Finding description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups. Pricing tier: Enterprise Compliance standards:
|
Ensure the default security group of every VPC restricts all traffic
|
|
Finding description: Checks whether AWS DMS replication instances are public. To do this, it examines the value of the A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see Public and private replication instances in the AWS Database Migration Service User Guide. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources. Pricing tier: Enterprise Compliance standards:
|
Checks whether AWS Database Migration Service replication instances are public
|
|
Finding description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user. Pricing tier: Enterprise Compliance standards:
|
Do not setup access keys during initial user setup for all IAM users that have a console password
|
|
Finding description: This checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications. DynamoDB tables in on-demand capacity mode are only limited by the DynamoDB throughput default table quotas. To raise these quotas, you can file a support ticket through AWS Support. DynamoDB tables in provisioned mode with auto scaling adjust the provisioned throughput capacity dynamically in response to traffic patterns. For additional information on DynamoDB request throttling, see Request throttling and burst capacity in the Amazon DynamoDB Developer Guide. Pricing tier: Enterprise Compliance standards:
|
DynamoDB tables should automatically scale capacity with demand
|
|
Finding description: This control evaluates whether a DynamoDB table is covered by a backup plan. The control fails if a DynamoDB table isn't covered by a backup plan. This control only evaluates DynamoDB tables that are in the ACTIVE state. Backups help you recover more quickly from a security incident. They also strengthen the resilience of your systems. Including DynamoDB tables in a backup plan helps you protect your data from unintended loss or deletion. Pricing tier: Enterprise Compliance standards:
|
DynamoDB tables should be covered by a backup plan
|
|
Finding description: Point In Time Recovery (PITR) is one of the mechanisms available to backup DynamoDB tables. A point in time backup is kept for 35 days. In case your requirement is for longer retention, please see Set up scheduled backups for Amazon DynamoDB using AWS Backup in the AWS Documentation. Pricing tier: Enterprise Compliance standards:
|
Checks that point in time recovery (PITR) is enabled for all AWS DynamoDB tables
|
|
Finding description: Checks whether all DynamoDB tables are encrypted with a customer managed KMS key (non-default). Pricing tier: Enterprise Compliance standards:
|
Checks that all DynamoDB tables are encrypted with AWS Key Management Service (KMS)
|
|
Finding description: Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized Pricing tier: Enterprise Compliance standards:
|
Checks that EBS optimization is enabled for all instances that support EBS optimization
|
|
Finding description: Checks whether Amazon Elastic Block Store snapshots are not public. The control fails if Amazon EBS snapshots are restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional. Pricing tier: Enterprise Compliance standards:
|
Amazon EBS snapshots should not be publicly restorable
|
|
Finding description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. Pricing tier: Enterprise Compliance standards:
|
Ensure EBS Volume Encryption is Enabled in all Regions
|
|
Finding description: Amazon VPC provides more security functionality than EC2 Classic. It is recommended that all nodes belong to an Amazon VPC. Pricing tier: Enterprise Compliance standards:
|
Ensures that all instances belong to a VPC
|
|
Finding description: EC2 instances that have a public IP address are at an increased risk of compromise. It is recommended that EC2 instances not be configured with a public IP address. Pricing tier: Enterprise Compliance standards:
|
Ensures no instances have a public IP
|
|
Finding description: A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. EC2 instances that have an association with AWS Systems Manager are under management of Systems Manager which makes it easier to apply patches, fix misconfigurations, and respond to security events. Pricing tier: Enterprise Compliance standards:
|
Checks the compliance status AWS systems manager association
|
|
Finding description: This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control fails if the association compliance status is NON_COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you. You can view the compliance status in the console or in response to AWS CLI commands or corresponding Systems Manager API actions. For associations, Configuration Compliance shows the compliance status (Compliant or Non-compliant). It also shows the severity level assigned to the association, such as Critical or Medium. To learn more about State Manager association compliance, see About State Manager association compliance in the AWS Systems Manager User Guide. Pricing tier: Enterprise Compliance standards:
|
Checks the status of AWS Systems Manager patch compliance
|
|
Finding description: When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). Pricing tier: Enterprise Compliance standards:
|
Ensure that EC2 Metadata Service only allows IMDSv2
|
|
Finding description: Identifying and removing unattached (unused) Elastic Block Store (EBS) volumes in your AWS account in order to lower the cost of your monthly AWS bill. Deleting unused EBS volumes also reduces the risk of confidential/sensitive data leaving your premise. Additionally, this control also checks whether EC2 instances archived configured to delete volumes on termination. By default, EC2 instances are configured to delete the data in any EBS volumes associated with the instance, and to delete the root EBS volume of the instance. However, any non-root EBS volumes attached to the instance, at launch or during execution, get persisted after termination by default. Pricing tier: Enterprise Compliance standards:
|
Checks whether EBS volumes are attached to EC2 instances and configured for deletion on instance termination
|
|
Finding description: Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. This checks that all EFS file systems are configured with encryption-at-rest across all enabled regions in the account. Pricing tier: Enterprise Compliance standards:
|
Checks whether EFS is configured to encrypt file data using KMS
|
|
Finding description: Amazon best practices recommend configuring backups for your Elastic File Systems (EFS). This checks all EFS across every enabled region in your AWS account for enabled backups. Pricing tier: Enterprise Compliance standards:
|
Checks whether EFS filesystems are included in AWS Backup plans
|
|
Finding description: Checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM. To create a certificate, you can use either ACM or a tool that supports the SSL and TLS protocols, such as OpenSSL. Security Hub recommends that you use ACM to create or import certificates for your load balancer. ACM integrates with Classic Load Balancers so that you can deploy the certificate on your load balancer. You also should automatically renew these certificates. Pricing tier: Enterprise Compliance standards:
|
Checks that all Classic Load Balancers use SSL certificates provided by AWS Certificate Manager
|
|
Finding description: Checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion. Pricing tier: Enterprise Compliance standards:
|
Application Load Balancer deletion protection should be enabled
|
|
Finding description: This checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues. To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers. Pricing tier: Enterprise Compliance standards:
|
Checks whether classic and application load balancers have logging enabled
|
|
Finding description: This check ensures all Classic Load Balancers are configured to use secure communication. A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections and a protocol and a port for back-end (load balancer to instance) connections. For information about the ports, protocols, and listener configurations supported by Elastic Load Balancing, see Listeners for your Classic Load Balancer. Pricing tier: Enterprise Compliance standards:
|
Checks that all Classic Load Balancer are configured with SSL or HTTPS listeners
|
|
Finding description: Checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses KMS keys when creating encrypted volumes and snapshots. To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances. Pricing tier: Enterprise Compliance standards:
|
Attached Amazon EBS volumes should be encrypted at-rest
|
|
Finding description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. Pricing tier: Enterprise Compliance standards:
|
Ensure that encryption-at-rest is enabled for RDS Instances
|
|
Finding description: EFS data should be encrypted at rest using AWS KMS (Key Management Service). Pricing tier: Enterprise Compliance standards:
|
Ensure that encryption is enabled for EFS file systems
|
|
Finding description: AWS allows for custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy. AWS security best practices recommends the following password complexity requirements:
This controls checks all of the specified password policy requirements. Pricing tier: Enterprise Compliance standards:
|
Checks whether the account password policy for IAM users meets the specified requirements
|
|
Finding description: IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM password policy prevents password reuse
|
|
Finding description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM password policy requires minimum length of 14 or greater
|
|
Finding description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
|
|
Finding description: IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy. Only the third implementation is recommended. Pricing tier: Enterprise Compliance standards:
|
Ensure IAM Users Receive Permissions Only Through Groups
|
|
Finding description: IAM users should always be part of an IAM group in order to adhere to IAM security best practices. By adding users to a group, it is possible to share policies among types of users. Pricing tier: Enterprise Compliance standards:
|
Checks whether IAM users are members of at least one IAM group
|
|
Finding description: Multi-factor authentication (MFA) is a best practice that adds an extra layer of protection on top of user names and passwords. With MFA, when a user signs in to the AWS Management Console, they are required to provide a time-sensitive authentication code, provided by a registered virtual or physical device. Pricing tier: Enterprise Compliance standards:
|
Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled
|
|
Finding description: This checks for any IAM passwords or active access keys that have not been used in the last 90 days. Best practices recommends that you remove, deactivate or rotate all credentials unused for 90 days or more. This reduces the window of opportunity for credentials associated to a compromised or abandoned account to be used. Pricing tier: |