Vulnerability findings

Security Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.

Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.

Detectors and compliance

Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

With Compliance Manager (Preview), you can deploy frameworks that map regulatory controls to cloud controls. After you create a framework, you can monitor for any changes to the environment that might affect your business's compliance and audit your environment.

For more information about managing compliance, see Assess and report compliance with security standards.

Supported security standards

Google Cloud

Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:

AWS

Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

For instructions on viewing and exporting compliance reports, see Assess and report compliance with security standards.

Finding deactivation after remediation

After you remediate a vulnerability or misconfiguration finding, the Security Command Center service that detected the finding automatically sets the state of the finding to INACTIVE the next time the detection service scans for the finding. How long Security Command Center takes to set a remediated finding to INACTIVE depends on the schedule of the scan that detects the finding.

The Security Command Center services also set the state of a vulnerability or misconfiguration finding to INACTIVE when a scan detects that the resource that is affected by the finding is deleted.

For more information about scan intervals, see the following topics:

Security Health Analytics findings

Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.

For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.

The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes on the following Google Cloud console pages:

  • Vulnerabilities page
  • Risk Overview page > Vulnerabilities dashboard

For instructions on fixing findings and protecting your resources, see Remediating Security Health Analytics findings.

API key vulnerability findings

The API_KEY_SCANNER detector identifies vulnerabilities related to API keys used in your cloud deployment.

Detector Summary Asset scan settings

Category name in the API: API_KEY_APIS_UNRESTRICTED

Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.12
  • CIS GCP Foundation 1.1: 1.14
  • CIS GCP Foundation 1.2: 1.14
  • CIS GCP Foundation 1.3: 1.14
  • CIS GCP Foundation 2.0: 1.14
  • CIS GCP Foundation 3.0: 1.14
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves the restrictions property of all API keys in a project, checking if any is set to cloudapis.googleapis.com.

  • Real-time scans: No

Category name in the API: API_KEY_APPS_UNRESTRICTED

Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.11
  • CIS GCP Foundation 1.1: 1.13
  • CIS GCP Foundation 1.2: 1.13
  • CIS GCP Foundation 1.3: 1.13
  • CIS GCP Foundation 2.0: 1.13
  • CIS GCP Foundation 3.0: 1.13

Retrieves the restrictions property of all API keys in a project, checking whether browserKeyRestrictions, serverKeyRestrictions, androidKeyRestrictions, or iosKeyRestrictions is set.

  • Real-time scans: No

Category name in the API: API_KEY_EXISTS

Finding description: A project is using API keys instead of standard authentication.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.10
  • CIS GCP Foundation 1.1: 1.12
  • CIS GCP Foundation 1.2: 1.12
  • CIS GCP Foundation 1.3: 1.12
  • CIS GCP Foundation 2.0: 1.12
  • CIS GCP Foundation 3.0: 1.12
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves all API keys owned by a project.

  • Real-time scans: No

Category name in the API: API_KEY_NOT_ROTATED

Finding description: The API key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.13
  • CIS GCP Foundation 1.1: 1.15
  • CIS GCP Foundation 1.2: 1.15
  • CIS GCP Foundation 1.3: 1.15
  • CIS GCP Foundation 2.0: 1.15
  • CIS GCP Foundation 3.0: 1.15
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves the timestamp contained in the createTime property of all API keys, checking whether 90 days have passed.

  • Real-time scans: No

Cloud Asset Inventory vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Asset Inventory configurations and belong to the CLOUD_ASSET_SCANNER type.

Detector Summary Asset scan settings

Category name in the API: CLOUD_ASSET_API_DISABLED

Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
pubsub.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 2.13
  • CIS GCP Foundation 2.0: 2.13
  • CIS GCP Foundation 3.0: 2.13
  • NIST 800-53 R5: CM-8, PM-5
  • PCI-DSS v4.0: 11.2.1, 11.2.2, 12.5.1, 9.5.1, 9.5.1.1
  • ISO-27001 v2022: A.5.9, A.8.8
  • Cloud Controls Matrix 4: UEM-04
  • NIST Cybersecurity Framework 1.0: ID-AM-1, PR-DS-3
  • SOC2 v2017: CC3.2.6, CC6.1.1
  • HIPAA: 164.310(d)(2)(iii)
  • CIS Controls 8.0: 1.1, 6.6

Checks if the Cloud Asset Inventory service is enabled.

  • Real-time scans: Yes

Storage vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Storage Buckets configurations, and belong to theSTORAGE_SCANNERtype.

Detector Summary Asset scan settings

Category name in the API: BUCKET_CMEK_DISABLED

Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the encryption field in bucket metadata for the resource name of your CMEK.

  • Real-time scans: Yes

Category name in the API: BUCKET_POLICY_ONLY_DISABLED

Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 5.2
  • CIS GCP Foundation 1.3: 5.2
  • CIS GCP Foundation 2.0: 5.2
  • CIS GCP Foundation 3.0: 5.2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the uniformBucketLevelAccess property on a bucket is set to "enabled":false

  • Real-time scans: Yes

Category name in the API: PUBLIC_BUCKET_ACL

Finding description: A Cloud Storage bucket is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 5.1
  • CIS GCP Foundation 1.1: 5.1
  • CIS GCP Foundation 1.2: 5.1
  • CIS GCP Foundation 1.3: 5.1
  • CIS GCP Foundation 2.0: 5.1
  • CIS GCP Foundation 3.0: 5.1
  • NIST 800-53 R4: AC-2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.14.1.3, A.8.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy of a bucket for public roles, allUsers or allAuthenticatedUsers.

  • Real-time scans: Yes

Category name in the API: PUBLIC_LOG_BUCKET

Finding description: A storage bucket used as a log sink is publicly accessible.

This finding isn't available for project-level activations.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • NIST 800-53 R4: AU-9
  • PCI-DSS v3.2.1: 10.5
  • ISO-27001 v2013: A.12.4.2, A.18.1.3, A.8.2.3

Checks the IAM allow policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only if IAM policy on bucket changes, not if log sink is changed

Compute image vulnerability findings

The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to Google Cloud image configurations.

Detector Summary Asset scan settings

Category name in the API: PUBLIC_COMPUTE_IMAGE

Finding description: A Compute Engine image is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Image

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes

Compute instance vulnerability findings

The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to Compute Engine instance configurations.

COMPUTE_INSTANCE_SCANNER detectors don't report findings on Compute Engine instances created by GKE. Such instances have names that start with "gke-", which users cannot edit. To secure these instances, refer to the Container vulnerability findings section.

Detector Summary Asset scan settings

Category name in the API: CONFIDENTIAL_COMPUTING_DISABLED

Finding description: Confidential Computing is disabled on a Compute Engine instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 4.11
  • CIS GCP Foundation 1.3: 4.11
  • CIS GCP Foundation 2.0: 4.11
  • CIS GCP Foundation 3.0: 4.11
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks the confidentialInstanceConfig property of instance metadata for the key-value pair "enableConfidentialCompute":true.

  • Assets excluded from scans:
    • GKE instances
    • Serverless VPC Access
    • Instances related to Dataflow jobs
    • Compute Engine instances that are not of type N2D
  • Real-time scans: Yes

Category name in the API: COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED

Finding description: Project-wide SSH keys are used, allowing login to all instances in the project.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.2
  • CIS GCP Foundation 1.1: 4.3
  • CIS GCP Foundation 1.2: 4.3
  • CIS GCP Foundation 1.3: 4.3
  • CIS GCP Foundation 2.0: 4.3
  • CIS GCP Foundation 3.0: 4.3
  • NIST 800-53 R5: AC-17, IA-5, SC-8
  • PCI-DSS v4.0: 2.2.7, 4.1.1, 4.2.1, 4.2.1.2, 4.2.2, 8.3.2
  • ISO-27001 v2022: A.5.14
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-2
  • SOC2 v2017: CC6.1.11, CC6.1.3, CC6.1.8, CC6.7.2
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.10, 5.2

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "block-project-ssh-keys", "value": TRUE.

  • Assets excluded from scans: GKE instances, Dataflow job, Windows instance
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: No

Category name in the API: COMPUTE_SECURE_BOOT_DISABLED

Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the shieldedInstanceConfig property on Compute Engine instances to determine if enableSecureBoot is set to true. This detector checks whether attached disks are compatible with Secure Boot and Secure Boot is enabled.

  • Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS, Serverless VPC Access
  • Real-time scans: Yes

Category name in the API: COMPUTE_SERIAL_PORTS_ENABLED

Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.4
  • CIS GCP Foundation 1.1: 4.5
  • CIS GCP Foundation 1.2: 4.5
  • CIS GCP Foundation 1.3: 4.5
  • CIS GCP Foundation 2.0: 4.5
  • CIS GCP Foundation 3.0: 4.5
  • NIST 800-53 R5: CM-6, CM-7
  • PCI-DSS v4.0: 1.2.5, 2.2.4, 6.4.1
  • ISO-27001 v2022: A.8.9
  • SOC2 v2017: CC6.6.1, CC6.6.3, CC6.6.4
  • CIS Controls 8.0: 4.8

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "serial-port-enable", "value": TRUE.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: Yes

Category name in the API: DEFAULT_SERVICE_ACCOUNT_USED

Finding description: An instance is configured to use the default service account.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.1
  • CIS GCP Foundation 1.2: 4.1
  • CIS GCP Foundation 1.3: 4.1
  • CIS GCP Foundation 2.0: 4.1
  • CIS GCP Foundation 3.0: 4.1
  • NIST 800-53 R5: IA-5
  • PCI-DSS v4.0: 2.2.2, 2.3.1
  • ISO-27001 v2022: A.8.2, A.8.9
  • NIST Cybersecurity Framework 1.0: PR-AC-1
  • SOC2 v2017: CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 4.7

Checks the serviceAccounts property in instance metadata for any service account email addresses with the prefix PROJECT_NUMBER[email protected], indicating the Google-created default service account.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Real-time scans: Yes

Category name in the API: DISK_CMEK_DISABLED

Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see