Security Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.
Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.
Detectors and compliance
Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.
For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.
CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.
Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.
With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.
With Compliance Manager (Preview), you can deploy frameworks that map regulatory controls to cloud controls. After you create a framework, you can monitor for any changes to the environment that might affect your business's compliance and audit your environment.
For more information about managing compliance, see Assess and report compliance with security standards.
Supported security standards
Google Cloud
Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:
- Center for Information Security (CIS) Controls 8.0
- CIS Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
- CIS Kubernetes Benchmark v1.5.1
- Cloud Controls Matrix (CCM) 4
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO) 27001, 2022 and 2013
- National Institute of Standards and Technology (NIST) 800-53 R5 and R4
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.0
- Open Web Application Security Project (OWASP) Top Ten, 2021 and 2017
- Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
- System and Organization Controls (SOC) 2 2017 Trust Services Criteria (TSC)
AWS
Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:
- CIS Amazon Web Services Foundations 2.0.0
- CIS Critical Security Controls Version 8.0
- Cloud Controls Matrix (CCM) 4
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO) 27001, 2022
- National Institute of Standards and Technology (NIST) 800-53 R5
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.0
- Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
- System and Organization Controls (SOC) 2 2017 Trusted Services Criteria (TSC)
For instructions on viewing and exporting compliance reports, see Assess and report compliance with security standards.
Finding deactivation after remediation
After you remediate a vulnerability or misconfiguration finding, the
Security Command Center service that detected the finding automatically sets the
state of the finding to INACTIVE the next time the detection service scans for
the finding. How long Security Command Center takes to set a remediated finding to
INACTIVE depends on the schedule of the scan that detects the finding.
The Security Command Center services also set the state of a vulnerability or
misconfiguration finding to INACTIVE when a scan detects that the resource
that is affected by the finding is deleted.
For more information about scan intervals, see the following topics:
Security Health Analytics findings
Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.
For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.
The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes on the following Google Cloud console pages:
- Vulnerabilities page
- Risk Overview page > Vulnerabilities dashboard
For instructions on fixing findings and protecting your resources, see Remediating Security Health Analytics findings.
API key vulnerability findings
The API_KEY_SCANNER detector identifies vulnerabilities related to
API keys used in your cloud deployment.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
|
Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the
|
|
Finding description: A project is using API keys instead of standard authentication. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves all API keys owned by a project.
|
|
Finding description: The API key hasn't been rotated for more than 90 days. Pricing tier: Premium
Supported assets Compliance standards:
|
Retrieves the timestamp contained in the
|
Cloud Asset Inventory vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Asset Inventory
configurations and belong to the CLOUD_ASSET_SCANNER type.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards:
|
Checks if the Cloud Asset Inventory service is enabled.
|
Storage vulnerability findings
Vulnerabilities of this detector type all relate to Cloud Storage Buckets
configurations, and belong to theSTORAGE_SCANNERtype.
| Detector | Summary | Asset scan settings |
|---|---|---|
|
Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. Pricing tier: Premium
Supported assets Compliance standards: This finding category is not mapped to any compliance standard controls. |
Checks the
|
|
Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. Pricing tier: Premium
Supported assets
|