Vulnerability findings

Security Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.

Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.

Detectors and compliance

Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

With Compliance Manager (Preview), you can deploy frameworks that map regulatory controls to cloud controls. After you create a framework, you can monitor for any changes to the environment that might affect your business's compliance and audit your environment.

For more information about managing compliance, see Assess and report compliance with security standards.

Supported security standards

Google Cloud

Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:

AWS

Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

For instructions on viewing and exporting compliance reports, see Assess and report compliance with security standards.

Finding deactivation after remediation

After you remediate a vulnerability or misconfiguration finding, the Security Command Center service that detected the finding automatically sets the state of the finding to INACTIVE the next time the detection service scans for the finding. How long Security Command Center takes to set a remediated finding to INACTIVE depends on the schedule of the scan that detects the finding.

The Security Command Center services also set the state of a vulnerability or misconfiguration finding to INACTIVE when a scan detects that the resource that is affected by the finding is deleted.

For more information about scan intervals, see the following topics:

Security Health Analytics findings

Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.

For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.

The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes on the following Google Cloud console pages:

  • Vulnerabilities page
  • Risk Overview page > Vulnerabilities dashboard

For instructions on fixing findings and protecting your resources, see Remediating Security Health Analytics findings.

API key vulnerability findings

The API_KEY_SCANNER detector identifies vulnerabilities related to API keys used in your cloud deployment.

Detector Summary Asset scan settings

Category name in the API: API_KEY_APIS_UNRESTRICTED

Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.12
  • CIS GCP Foundation 1.1: 1.14
  • CIS GCP Foundation 1.2: 1.14
  • CIS GCP Foundation 1.3: 1.14
  • CIS GCP Foundation 2.0: 1.14
  • CIS GCP Foundation 3.0: 1.14
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves the restrictions property of all API keys in a project, checking if any is set to cloudapis.googleapis.com.

  • Real-time scans: No

Category name in the API: API_KEY_APPS_UNRESTRICTED

Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.11
  • CIS GCP Foundation 1.1: 1.13
  • CIS GCP Foundation 1.2: 1.13
  • CIS GCP Foundation 1.3: 1.13
  • CIS GCP Foundation 2.0: 1.13
  • CIS GCP Foundation 3.0: 1.13

Retrieves the restrictions property of all API keys in a project, checking whether browserKeyRestrictions, serverKeyRestrictions, androidKeyRestrictions, or iosKeyRestrictions is set.

  • Real-time scans: No

Category name in the API: API_KEY_EXISTS

Finding description: A project is using API keys instead of standard authentication.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.10
  • CIS GCP Foundation 1.1: 1.12
  • CIS GCP Foundation 1.2: 1.12
  • CIS GCP Foundation 1.3: 1.12
  • CIS GCP Foundation 2.0: 1.12
  • CIS GCP Foundation 3.0: 1.12
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves all API keys owned by a project.

  • Real-time scans: No

Category name in the API: API_KEY_NOT_ROTATED

Finding description: The API key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.13
  • CIS GCP Foundation 1.1: 1.15
  • CIS GCP Foundation 1.2: 1.15
  • CIS GCP Foundation 1.3: 1.15
  • CIS GCP Foundation 2.0: 1.15
  • CIS GCP Foundation 3.0: 1.15
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves the timestamp contained in the createTime property of all API keys, checking whether 90 days have passed.

  • Real-time scans: No

Cloud Asset Inventory vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Asset Inventory configurations and belong to the CLOUD_ASSET_SCANNER type.

Detector Summary Asset scan settings

Category name in the API: CLOUD_ASSET_API_DISABLED

Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
pubsub.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 2.13
  • CIS GCP Foundation 2.0: 2.13
  • CIS GCP Foundation 3.0: 2.13
  • NIST 800-53 R5: CM-8, PM-5
  • PCI-DSS v4.0: 11.2.1, 11.2.2, 12.5.1, 9.5.1, 9.5.1.1
  • ISO-27001 v2022: A.5.9, A.8.8
  • Cloud Controls Matrix 4: UEM-04
  • NIST Cybersecurity Framework 1.0: ID-AM-1, PR-DS-3
  • SOC2 v2017: CC3.2.6, CC6.1.1
  • HIPAA: 164.310(d)(2)(iii)
  • CIS Controls 8.0: 1.1, 6.6

Checks if the Cloud Asset Inventory service is enabled.

  • Real-time scans: Yes

Storage vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Storage Buckets configurations, and belong to theSTORAGE_SCANNERtype.

Detector Summary Asset scan settings

Category name in the API: BUCKET_CMEK_DISABLED

Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the encryption field in bucket metadata for the resource name of your CMEK.

  • Real-time scans: Yes

Category name in the API: BUCKET_POLICY_ONLY_DISABLED

Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 5.2
  • CIS GCP Foundation 1.3: 5.2
  • CIS GCP Foundation 2.0: 5.2
  • CIS GCP Foundation 3.0: 5.2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the uniformBucketLevelAccess property on a bucket is set to "enabled":false

  • Real-time scans: Yes

Category name in the API: PUBLIC_BUCKET_ACL

Finding description: A Cloud Storage bucket is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 5.1
  • CIS GCP Foundation 1.1: 5.1
  • CIS GCP Foundation 1.2: 5.1
  • CIS GCP Foundation 1.3: 5.1
  • CIS GCP Foundation 2.0: 5.1
  • CIS GCP Foundation 3.0: 5.1
  • NIST 800-53 R4: AC-2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.14.1.3, A.8.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy of a bucket for public roles, allUsers or allAuthenticatedUsers.

  • Real-time scans: Yes

Category name in the API: PUBLIC_LOG_BUCKET

Finding description: A storage bucket used as a log sink is publicly accessible.

This finding isn't available for project-level activations.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • NIST 800-53 R4: AU-9
  • PCI-DSS v3.2.1: 10.5
  • ISO-27001 v2013: A.12.4.2, A.18.1.3, A.8.2.3

Checks the IAM allow policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only if IAM policy on bucket changes, not if log sink is changed

Compute image vulnerability findings

The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to Google Cloud image configurations.

Detector Summary Asset scan settings

Category name in the API: PUBLIC_COMPUTE_IMAGE

Finding description: A Compute Engine image is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Image

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes

Compute instance vulnerability findings

The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to Compute Engine instance configurations.

COMPUTE_INSTANCE_SCANNER detectors don't report findings on Compute Engine instances created by GKE. Such instances have names that start with "gke-", which users cannot edit. To secure these instances, refer to the Container vulnerability findings section.

Detector Summary Asset scan settings

Category name in the API: CONFIDENTIAL_COMPUTING_DISABLED

Finding description: Confidential Computing is disabled on a Compute Engine instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 4.11
  • CIS GCP Foundation 1.3: 4.11
  • CIS GCP Foundation 2.0: 4.11
  • CIS GCP Foundation 3.0: 4.11
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks the confidentialInstanceConfig property of instance metadata for the key-value pair "enableConfidentialCompute":true.

  • Assets excluded from scans:
    • GKE instances
    • Serverless VPC Access
    • Instances related to Dataflow jobs
    • Compute Engine instances that are not of type N2D
  • Real-time scans: Yes

Category name in the API: COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED

Finding description: Project-wide SSH keys are used, allowing login to all instances in the project.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.2
  • CIS GCP Foundation 1.1: 4.3
  • CIS GCP Foundation 1.2: 4.3
  • CIS GCP Foundation 1.3: 4.3
  • CIS GCP Foundation 2.0: 4.3
  • CIS GCP Foundation 3.0: 4.3
  • NIST 800-53 R5: AC-17, IA-5, SC-8
  • PCI-DSS v4.0: 2.2.7, 4.1.1, 4.2.1, 4.2.1.2, 4.2.2, 8.3.2
  • ISO-27001 v2022: A.5.14
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-2
  • SOC2 v2017: CC6.1.11, CC6.1.3, CC6.1.8, CC6.7.2
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.10, 5.2

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "block-project-ssh-keys", "value": TRUE.

  • Assets excluded from scans: GKE instances, Dataflow job, Windows instance
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: No

Category name in the API: COMPUTE_SECURE_BOOT_DISABLED

Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the shieldedInstanceConfig property on Compute Engine instances to determine if enableSecureBoot is set to true. This detector checks whether attached disks are compatible with Secure Boot and Secure Boot is enabled.

  • Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS, Serverless VPC Access
  • Real-time scans: Yes

Category name in the API: COMPUTE_SERIAL_PORTS_ENABLED

Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.4
  • CIS GCP Foundation 1.1: 4.5
  • CIS GCP Foundation 1.2: 4.5
  • CIS GCP Foundation 1.3: 4.5
  • CIS GCP Foundation 2.0: 4.5
  • CIS GCP Foundation 3.0: 4.5
  • NIST 800-53 R5: CM-6, CM-7
  • PCI-DSS v4.0: 1.2.5, 2.2.4, 6.4.1
  • ISO-27001 v2022: A.8.9
  • SOC2 v2017: CC6.6.1, CC6.6.3, CC6.6.4
  • CIS Controls 8.0: 4.8

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "serial-port-enable", "value": TRUE.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: Yes

Category name in the API: DEFAULT_SERVICE_ACCOUNT_USED

Finding description: An instance is configured to use the default service account.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.1
  • CIS GCP Foundation 1.2: 4.1
  • CIS GCP Foundation 1.3: 4.1
  • CIS GCP Foundation 2.0: 4.1
  • CIS GCP Foundation 3.0: 4.1
  • NIST 800-53 R5: IA-5
  • PCI-DSS v4.0: 2.2.2, 2.3.1
  • ISO-27001 v2022: A.8.2, A.8.9
  • NIST Cybersecurity Framework 1.0: PR-AC-1
  • SOC2 v2017: CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 4.7

Checks the serviceAccounts property in instance metadata for any service account email addresses with the prefix PROJECT_NUMBER[email protected], indicating the Google-created default service account.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Real-time scans: Yes

Category name in the API: DISK_CMEK_DISABLED

Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Disk

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the kmsKeyName field in the diskEncryptionKey object, in disk metadata, for the resource name of your CMEK.

  • Assets excluded from scans: Disks related to Cloud Composer environments, Dataflow jobs, and GKE instances
  • Real-time scans: Yes

Category name in the API: DISK_CSEK_DISABLED

Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Disk

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.6
  • CIS GCP Foundation 1.1: 4.7
  • CIS GCP Foundation 1.2: 4.7
  • CIS GCP Foundation 1.3: 4.7
  • CIS GCP Foundation 2.0: 4.7
  • CIS GCP Foundation 3.0: 4.7
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks the sha256 field in the diskEncryptionKey object for the resource name of your CSEK.

  • Assets excluded from scans:
    Compute Engine disks without the enforce_customer_supplied_disk_encryption_keys security mark set to true
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: Yes

Category name in the API: FULL_API_ACCESS

Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.1
  • CIS GCP Foundation 1.1: 4.2
  • CIS GCP Foundation 1.2: 4.2
  • CIS GCP Foundation 1.3: 4.2
  • CIS GCP Foundation 2.0: 4.2
  • CIS GCP Foundation 3.0: 4.2
  • NIST 800-53 R4: AC-6
  • NIST 800-53 R5: IA-5
  • PCI-DSS v3.2.1: 7.1.2
  • PCI-DSS v4.0: 2.2.2, 2.3.1
  • ISO-27001 v2013: A.9.2.3
  • ISO-27001 v2022: A.8.2, A.8.9
  • NIST Cybersecurity Framework 1.0: PR-AC-1
  • SOC2 v2017: CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 4.7

Retrieves the scopes field in the serviceAccounts property to check whether a default service account is used and if it is assigned the cloud-platform scope.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Real-time scans: Yes

Category name in the API: HTTP_LOAD_BALANCER

Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/TargetHttpProxy

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 2.3

Determines if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.

  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads forwarding rules for a target HTTP proxy from Compute Engine, checking for external rules
  • Real-time scans: Yes

Category name in the API: INSTANCE_OS_LOGIN_DISABLED

Finding description: OS Login is disabled on this instance.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.3
  • CIS GCP Foundation 1.1: 4.4
  • CIS GCP Foundation 1.2: 4.4
  • CIS GCP Foundation 1.3: 4.4
  • CIS GCP Foundation 2.0: 4.4
  • NIST 800-53 R5: AC-2
  • ISO-27001 v2022: A.5.15
  • SOC2 v2017: CC6.1.4, CC6.1.6, CC6.1.8, CC6.1.9
  • CIS Controls 8.0: 5.6, 6.7

Checks whether the enable-oslogin property from the Custom metadata of the instance is set to TRUE.

  • Assets excluded from scans: GKE instances, instances related to Dataflow jobs, Serverless VPC Access
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine.
  • Real-time scans: No

Category name in the API: IP_FORWARDING_ENABLED

Finding description: IP forwarding is enabled on instances.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.5
  • CIS GCP Foundation 1.1: 4.6
  • CIS GCP Foundation 1.2: 4.6
  • CIS GCP Foundation 1.3: 4.6
  • CIS GCP Foundation 2.0: 4.6
  • CIS GCP Foundation 3.0: 4.6
  • NIST 800-53 R5: CA-9, SC-7
  • PCI-DSS v4.0: 1.2.1, 1.4.1
  • SOC2 v2017: CC6.6.1, CC6.6.4
  • CIS Controls 8.0: 4.4, 4.5

Checks whether the canIpForward property of the instance is set to true.

  • Assets excluded from scans: GKE instances, Serverless VPC Access
  • Real-time scans: Yes

Category name in the API: OS_LOGIN_DISABLED

Finding description: OS Login is disabled on this project.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.3
  • CIS GCP Foundation 1.1: 4.4
  • CIS GCP Foundation 1.2: 4.4
  • CIS GCP Foundation 1.3: 4.4
  • CIS GCP Foundation 2.0: 4.4
  • NIST 800-53 R5: AC-2
  • ISO-27001 v2022: A.5.15
  • SOC2 v2017: CC6.1.4, CC6.1.6, CC6.1.8, CC6.1.9
  • CIS Controls 8.0: 5.6, 6.7

Checks the commonInstanceMetadata.items[] object in project metadata for the key-value pair, "key": "enable-oslogin", "value": TRUE. The detector also checks all instances in a Compute Engine project to determine whether OS Login is disabled for individual instances.

  • Assets excluded from scans: GKE instances, instances related to Dataflow jobs
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine. The detector also examines Compute Engine instances in the project
  • Real-time scans: No

Category name in the API: PUBLIC_IP_ADDRESS

Finding description: An instance has a public IP address.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.9
  • CIS GCP Foundation 1.2: 4.9
  • CIS GCP Foundation 1.3: 4.9
  • CIS GCP Foundation 2.0: 4.9
  • CIS GCP Foundation 3.0: 4.9
  • NIST 800-53 R4: CA-3, SC-7
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the networkInterfaces property contains an accessConfigs field, indicating it is configured to use a public IP address.

  • Assets excluded from scans: GKE instances, instances related to Dataflow jobs
  • Real-time scans: Yes

Category name in the API: SHIELDED_VM_DISABLED

Finding description: Shielded VM is disabled on this instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.8
  • CIS GCP Foundation 1.2: 4.8
  • CIS GCP Foundation 1.3: 4.8
  • CIS GCP Foundation 2.0: 4.8
  • CIS GCP Foundation 3.0: 4.8

Checks the shieldedInstanceConfig property in Compute Engine instances to determine if the enableIntegrityMonitoring and enableVtpm fields are set to true. The fields indicate whether Shielded VM is turned on.

  • Assets excluded from scans: GKE instances and Serverless VPC Access
  • Real-time scans: Yes

Category name in the API: WEAK_SSL_POLICY

Finding description: An instance has a weak SSL policy.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetSslProxy

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 3.9
  • CIS GCP Foundation 1.2: 3.9
  • CIS GCP Foundation 1.3: 3.9
  • CIS GCP Foundation 2.0: 3.9
  • CIS GCP Foundation 3.0: 3.9
  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 4.1
  • ISO-27001 v2013: A.14.1.3

Checks whether sslPolicy in asset metadata is empty or is using the Google Cloud default policy and, for the attached sslPolicies resource, whether profile is set to Restricted or Modern, minTlsVersion is set to TLS 1.2, and customFeatures is empty or does not contain the following ciphers: TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA.

  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads SSL policies for target proxies storage, checking for weak policies
  • Real-time scans: Yes, but only when the TargetHttpsProxy of the TargetSslProxy is updated, not when the SSL policy gets updated

Container vulnerability findings

These finding types all relate to GKE container configurations, and belong to the CONTAINER_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: ALPHA_CLUSTER_ENABLED

Finding description: Alpha cluster features are enabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.10.2

Checks whether the enableKubernetesAlpha property of a cluster is set to true.

  • Real-time scans: Yes

Category name in the API: AUTO_REPAIR_DISABLED

Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.7
  • CIS GKE 1.0: 6.5.2
  • PCI-DSS v3.2.1: 2.2

Checks the management property of a node pool for the key-value pair, "key": "autoRepair", "value": true.

  • Real-time scans: Yes

Category name in the API: AUTO_UPGRADE_DISABLED

Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.8
  • CIS GKE 1.0: 6.5.3
  • PCI-DSS v3.2.1: 2.2

Checks the management property of a node pool for the key-value pair, "key": "autoUpgrade", "value": true.

  • Real-time scans: Yes

Category name in the API: BINARY_AUTHORIZATION_DISABLED

Finding description: Binary Authorization is either disabled on the GKE cluster or the Binary Authorization policy is configured to allow all images to be deployed.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the following:

  • Checks whether the binaryAuthorization property has one of the following key-value pairs:
    • "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
    • "evaluationMode": "POLICY_BINDINGS"
    • "evaluationMode": "POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE"
  • Checks whether the defaultAdmissionRule policy property does not contain the key-value pair evaluationMode: ALWAYS_ALLOW.

  • Real-time scans: Yes

Category name in the API: CLUSTER_LOGGING_DISABLED

Finding description: Logging isn't enabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.1
  • CIS GKE 1.0: 6.7.1
  • PCI-DSS v3.2.1: 10.2.2, 10.2.7

Checks whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.

  • Real-time scans: Yes

Category name in the API: CLUSTER_MONITORING_DISABLED

Finding description: Monitoring is disabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.2
  • CIS GKE 1.0: 6.7.1
  • PCI-DSS v3.2.1: 10.1, 10.2

Checks whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.

  • Real-time scans: Yes

Category name in the API: CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED

Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.16
  • PCI-DSS v3.2.1: 1.3

Checks whether the privateIpGoogleAccess property of a subnetwork is set to false.

  • Additional inputs: Reads subnetworks from storage, filing findings only for clusters with subnetworks
  • Real-time scans: Yes, but only if cluster is updated, not for subnetwork updates

Category name in the API: CLUSTER_SECRETS_ENCRYPTION_DISABLED

Finding description: Application-layer secrets encryption is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.3.1

Checks the keyName property of the databaseEncryption object for the key-value pair "state": ENCRYPTED.

  • Real-time scans: Yes

Category name in the API: CLUSTER_SHIELDED_NODES_DISABLED

Finding description: Shielded GKE nodes are not enabled for a cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.5

Checks the shieldedNodes property for the key-value pair "enabled": true.

  • Real-time scans: Yes

Category name in the API: COS_NOT_USED

Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.9
  • CIS GKE 1.0: 6.5.1
  • PCI-DSS v3.2.1: 2.2

Checks the config property of a node pool for the key-value pair, "imageType": "COS".

  • Real-time scans: Yes

Category name in the API: INTEGRITY_MONITORING_DISABLED

Finding description: Integrity monitoring is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.6

Checks the shieldedInstanceConfig property of the nodeConfig object for the key-value pair "enableIntegrityMonitoring": true.

  • Real-time scans: Yes

Category name in the API: INTRANODE_VISIBILITY_DISABLED

Finding description: Intranode visibility is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.6.1

Checks the networkConfig property for the key-value pair "enableIntraNodeVisibility": true.

  • Real-time scans: Yes

Category name in the API: IP_ALIAS_DISABLED

Finding description: A GKE cluster was created with alias IP ranges disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.13
  • CIS GKE 1.0: 6.6.2
  • PCI-DSS v3.2.1: 1.3.4, 1.3.7

Checks whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.

  • Real-time scans: Yes

Category name in the API: LEGACY_AUTHORIZATION_ENABLED

Finding description: Legacy Authorization is enabled on GKE clusters.

Pricing tier: Premium or Standard

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.3
  • CIS GKE 1.0: 6.8.3
  • PCI-DSS v3.2.1: 4.1

Checks the legacyAbac property of a cluster for the key-value pair, "enabled": true.

  • Real-time scans: Yes

Category name in the API: LEGACY_METADATA_ENABLED

Finding description: Legacy metadata is enabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.4.1

Checks the config property of a node pool for the key-value pair, "disable-legacy-endpoints": "false".

  • Real-time scans: Yes

Category name in the API: MASTER_AUTHORIZED_NETWORKS_DISABLED

Finding description: Control Plane Authorized Networks is not enabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.4
  • CIS GKE 1.0: 6.6.3
  • PCI-DSS v3.2.1: 1.2.1, 1.3.2

Checks the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, "enabled": false.

  • Real-time scans: Yes

Category name in the API: NETWORK_POLICY_DISABLED

Finding description: Network policy is disabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.11
  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.3
  • ISO-27001 v2013: A.13.1.1

Checks the networkPolicy field of the addonsConfig property for the key-value pair, "disabled": true.

  • Real-time scans: Yes

Category name in the API: NODEPOOL_BOOT_CMEK_DISABLED

Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the bootDiskKmsKey property of node pools for the resource name of your CMEK.

  • Real-time scans: Yes

Category name in the API: NODEPOOL_SECURE_BOOT_DISABLED

Finding description: Secure Boot is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.7

Checks the shieldedInstanceConfig property of the nodeConfig object for the key-value pair "enableSecureBoot": true.

  • Real-time scans: Yes

Category name in the API: OVER_PRIVILEGED_ACCOUNT

Finding description: A service account has overly broad project access in a cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.17
  • NIST 800-53 R4: AC-6, SC-7
  • CIS GKE 1.0: 6.2.1
  • PCI-DSS v3.2.1: 2.1, 7.1.2
  • ISO-27001 v2013: A.9.2.3

Evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.

  • Real-time scans: Yes

Category name in the API: OVER_PRIVILEGED_SCOPES

Finding description: A node service account has broad access scopes.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.18
  • CIS GKE 1.0: 6.2.1
 Checks whether the access scope listed in the config.oauthScopes property of a node pool is a limited service account access scope: https://www.googleapis.com/auth/devstorage.read_only, https://www.googleapis.com/auth/logging.write, or https://www.googleapis.com/auth/monitoring.
  • Real-time scans: Yes

Category name in the API: POD_SECURITY_POLICY_DISABLED

Finding description: PodSecurityPolicy is disabled on a GKE cluster.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.14
  • CIS GKE 1.0: 6.10.3

Checks the podSecurityPolicyConfig property of a cluster for the key-value pair, "enabled": false.

  • Additional IAM permissions: roles/container.clusterViewer
  • Additional inputs: Reads cluster information from GKE, because pod security policies are a Beta feature. Kubernetes has officially deprecated PodSecurityPolicy in version 1.21. PodSecurityPolicy will be shut down in version 1.25. For information about alternatives, refer to PodSecurityPolicy deprecation.
  • Real-time scans: No

Category name in the API: PRIVATE_CLUSTER_DISABLED

Finding description: A GKE cluster has a Private cluster disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.15
  • CIS GKE 1.0: 6.6.5
  • PCI-DSS v3.2.1: 1.3.2

Checks whether the enablePrivateNodes field of the privateClusterConfig property is set to false.

  • Real-time scans: Yes

Category name in the API: RELEASE_CHANNEL_DISABLED

Finding description: A GKE cluster is not subscribed to a release channel.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.4

Checks the releaseChannel property for the key-value pair "channel": UNSPECIFIED.

  • Real-time scans: Yes

Category name in the API: WEB_UI_ENABLED

Finding description: The GKE web UI (dashboard) is enabled.

Pricing tier: Premium or Standard

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.6
  • CIS GKE 1.0: 6.10.1
  • PCI-DSS v3.2.1: 6.6

Checks the kubernetesDashboard field of the addonsConfig property for the key-value pair, "disabled": false.

  • Real-time scans: Yes

Category name in the API: WORKLOAD_IDENTITY_DISABLED

Finding description: Workload Identity is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.2.2

Checks whether the workloadIdentityConfig property of a cluster is set. The detector also checks whether the workloadMetadataConfig property of a node pool is set to GKE_METADATA.

  • Additional IAM permissions: roles/container.clusterViewer
  • Real-time scans: Yes

Dataproc vulnerability findings

Vulnerabilities of this detector type all relate to Dataproc and belong to the DATAPROC_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: DATAPROC_CMEK_DISABLED

Finding description: A Dataproc cluster was created without an encryption configuration CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
dataproc.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 1.17
  • CIS GCP Foundation 2.0: 1.17
  • CIS GCP Foundation 3.0: 8.1
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks whether the kmsKeyName field in the encryptionConfiguration property is empty.

  • Real-time scans: Yes

Category name in the API: DATAPROC_IMAGE_OUTDATED

Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046).

Pricing tier: Premium or Standard

Supported assets
dataproc.googleapis.com/Cluster

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks whether the softwareConfig.imageVersion field in the config property of a Cluster is earlier than 1.3.95 or is a subminor image version earlier than 1.4.77, 1.5.53, or 2.0.27.

  • Real-time scans: Yes

Dataset vulnerability findings

Vulnerabilities of this detector type all relate to BigQuery Dataset configurations, and belong to the DATASET_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: BIGQUERY_TABLE_CMEK_DISABLED

Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
bigquery.googleapis.com/Table

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 7.2
  • CIS GCP Foundation 1.3: 7.2
  • CIS GCP Foundation 2.0: 7.2
  • CIS GCP Foundation 3.0: 7.2
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks whether the kmsKeyName field in the encryptionConfiguration property is empty.

  • Real-time scans: Yes

Category name in the API: DATASET_CMEK_DISABLED

Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
bigquery.googleapis.com/Dataset

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 7.3
  • CIS GCP Foundation 1.3: 7.3
  • CIS GCP Foundation 2.0: 7.3
  • CIS GCP Foundation 3.0: 7.3
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks whether the kmsKeyName field in the defaultEncryptionConfiguration property is empty.

  • Real-time scans: No

Category name in the API: PUBLIC_DATASET

Finding description: A dataset is configured to be open to public access.

Pricing tier: Premium or Standard

Supported assets
bigquery.googleapis.com/Dataset

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 7.1
  • CIS GCP Foundation 1.2: 7.1
  • CIS GCP Foundation 1.3: 7.1
  • CIS GCP Foundation 2.0: 7.1
  • CIS GCP Foundation 3.0: 7.1
  • NIST 800-53 R4: AC-2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.14.1.3, A.8.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes

DNS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud DNS configurations, and belong to the DNS_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: DNSSEC_DISABLED

Finding description: DNSSEC is disabled for Cloud DNS zones.

Pricing tier: Premium

Supported assets
dns.googleapis.com/ManagedZone

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.3
  • CIS GCP Foundation 1.1: 3.3
  • CIS GCP Foundation 1.2: 3.3
  • CIS GCP Foundation 1.3: 3.3
  • CIS GCP Foundation 2.0: 3.3
  • CIS GCP Foundation 3.0: 3.3
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2013: A.8.2.3
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks whether the state field of the dnssecConfig property is set to off.

  • Assets excluded from scans: Cloud DNS zones that are not public
  • Real-time scans: Yes

Category name in the API: RSASHA1_FOR_SIGNING

Finding description: RSASHA1 is used for key signing in Cloud DNS zones.

Pricing tier: Premium

Supported assets
dns.googleapis.com/ManagedZone

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.4, 3.5
  • CIS GCP Foundation 1.1: 3.4, 3.5
  • CIS GCP Foundation 1.2: 3.4, 3.5
  • CIS GCP Foundation 1.3: 3.4, 3.5
  • CIS GCP Foundation 2.0: 3.4, 3.5
  • CIS GCP Foundation 3.0: 3.4, 3.5
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks whether the defaultKeySpecs.algorithm object of the dnssecConfig property is set to rsasha1.

  • Real-time scans: Yes

Firewall vulnerability findings

Vulnerabilities of this detector type all relate to firewall configurations, and belong to the FIREWALL_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: EGRESS_DENY_RULE_NOT_SET

Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 7.2

Checks whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, "IPProtocol": "all".

  • Additional inputs: Reads egress firewalls for a project from storage
  • Real-time scans: Yes, but only on project changes, not firewall rule changes

Category name in the API: FIREWALL_RULE_LOGGING_DISABLED

Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SI-4
  • PCI-DSS v3.2.1: 10.1, 10.2
  • ISO-27001 v2013: A.13.1.1

Checks the logConfig property in firewall metadata to see if it's empty or contains the key-value pair "enable": false.

Category name in the API: OPEN_CASSANDRA_PORT

Finding description: A firewall is configured to have an open Cassandra port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.

  • Real-time scans: Yes

Category name in the API: OPEN_CISCOSECURE_WEBSM_PORT

Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:9090.

  • Real-time scans: Yes

Category name in the API: OPEN_DIRECTORY_SERVICES_PORT

Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.

  • Real-time scans: Yes

Category name in the API: OPEN_DNS_PORT

Finding description: A firewall is configured to have an open DNS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.

  • Real-time scans: Yes

Category name in the API: OPEN_ELASTICSEARCH_PORT

Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.

  • Real-time scans: Yes

Category name in the API: OPEN_FIREWALL

Finding description: A firewall is configured to be open to public access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 1.2.1

Checks the sourceRanges and allowed properties for one of two configurations:

  • The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
    • icmp
    • tcp:22
    • tcp:443
    • tcp:3389
    • udp:3389
    • sctp:22
  • The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.

Category name in the API: OPEN_FTP_PORT

Finding description: A firewall is configured to have an open FTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:21.

  • Real-time scans: Yes

Category name in the API: OPEN_HTTP_PORT

Finding description: A firewall is configured to have an open HTTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:80.

  • Real-time scans: Yes

Category name in the API: OPEN_LDAP_PORT

Finding description: A firewall is configured to have an open LDAP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.

  • Real-time scans: Yes

Category name in the API: OPEN_MEMCACHED_PORT

Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.

  • Real-time scans: Yes

Category name in the API: OPEN_MONGODB_PORT

Finding description: A firewall is configured to have an open MONGODB port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.

  • Real-time scans: Yes

Category name in the API: OPEN_MYSQL_PORT

Finding description: A firewall is configured to have an open MYSQL port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:3306.

  • Real-time scans: Yes

Category name in the API: OPEN_NETBIOS_PORT

Finding description: A firewall is configured to have an open NETBIOS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.

  • Real-time scans: Yes

Category name in the API: OPEN_ORACLEDB_PORT

Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.

  • Real-time scans: Yes

Category name in the API: OPEN_POP3_PORT

Finding description: A firewall is configured to have an open POP3 port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:110.

  • Real-time scans: Yes

Category name in the API: OPEN_POSTGRESQL_PORT

Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.

  • Real-time scans: Yes

Category name in the API: OPEN_RDP_PORT

Finding description: A firewall is configured to have an open RDP port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.7
  • CIS GCP Foundation 1.1: 3.7
  • CIS GCP Foundation 1.2: 3.7
  • CIS GCP Foundation 1.3: 3.7
  • CIS GCP Foundation 2.0: 3.7
  • CIS GCP Foundation 3.0: 3.7
  • NIST 800-53 R4: SC-7
  • NIST 800-53 R5: CA-9, SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.2.1, 1.4.1
  • ISO-27001 v2013: A.13.1.1
  • SOC2 v2017: CC6.6.1, CC6.6.4
  • CIS Controls 8.0: 4.4, 4.5

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:3389 and UDP:3389.

  • Real-time scans: Yes

Category name in the API: OPEN_REDIS_PORT

Finding description: A firewall is configured to have an open REDIS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.

  • Real-time scans: Yes

Category name in the API: OPEN_SMTP_PORT

Finding description: A firewall is configured to have an open SMTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.

  • Real-time scans: Yes

Category name in the API: OPEN_SSH_PORT

Finding description: A firewall is configured to have an open SSH port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.6
  • CIS GCP Foundation 1.1: 3.6
  • CIS GCP Foundation 1.2: 3.6
  • CIS GCP Foundation 1.3: 3.6
  • CIS GCP Foundation 2.0: 3.6
  • CIS GCP Foundation 3.0: 3.6
  • NIST 800-53 R4: SC-7
  • NIST 800-53 R5: CA-9, SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.2.1, 1.4.1
  • ISO-27001 v2013: A.13.1.1
  • SOC2 v2017: CC6.6.1, CC6.6.4
  • CIS Controls 8.0: 4.4, 4.5

Checks whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.

  • Real-time scans: Yes

Category name in the API: OPEN_TELNET_PORT

Finding description: A firewall is configured to have an open TELNET port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.

  • Real-time scans: Yes

IAM vulnerability findings

Vulnerabilities of this detector type all relate to Identity and Access Management (IAM) configuration, and belong to the IAM_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: ACCESS_TRANSPARENCY_DISABLED

Finding description: Google Cloud Access Transparency is disabled for your organization. Access Transparency logs when Google Cloud employees access the projects in your organization to provide support. Enable Access Transparency to log who from Google Cloud is accessing your information, when, and why.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 2.14
  • CIS GCP Foundation 2.0: 2.14
  • CIS GCP Foundation 3.0: 2.14

Checks if your organization has Access Transparency enabled.

  • Real-time scans: No

Category name in the API: ADMIN_SERVICE_ACCOUNT

Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.4
  • CIS GCP Foundation 1.1: 1.5
  • CIS GCP Foundation 1.2: 1.5
  • CIS GCP Foundation 1.3: 1.5
  • CIS GCP Foundation 2.0: 1.5
  • CIS GCP Foundation 3.0: 1.5
  • NIST 800-53 R5: AC-6
  • ISO-27001 v2022: A.5.15, A.8.2
  • Cloud Controls Matrix 4: IAM-09
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC6.1.3, CC6.1.4, CC6.1.7, CC6.1.8, CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 5.4

Checks the IAM allow policy in resource metadata for any user-created service accounts (indicated by the prefix iam.gserviceaccount.com), that are assigned roles/Owner or roles/Editor, or a role ID that contains admin.

  • Assets excluded from scans: Container Registry service account (containerregistry.iam.gserviceaccount.com) and Security Command Center service account (security-center-api.iam.gserviceaccount.com)
  • Real-time scans: Yes, unless the IAM update is done on a folder

Category name in the API: ESSENTIAL_CONTACTS_NOT_CONFIGURED

Finding description: Your organization has not designated a person or group to receive notifications from Google Cloud about important events such as attacks, vulnerabilities, and data incidents within your Google Cloud organization. We recommend that you designate as an Essential Contact one or more persons or groups in your business organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 1.16
  • CIS GCP Foundation 2.0: 1.16
  • CIS GCP Foundation 3.0: 1.16
  • NIST 800-53 R5: IR-6
  • ISO-27001 v2022: A.5.20, A.5.24, A.5.5, A.5.6
  • Cloud Controls Matrix 4: SEF-08
  • NIST Cybersecurity Framework 1.0: RS-CO-1
  • SOC2 v2017: CC2.3.1
  • CIS Controls 8.0: 17.2

Checks that a contact is specified for the following essential contact categories:

  • Legal
  • Security
  • Suspension
  • Technical

  • Real-time scans: No

Category name in the API: KMS_ROLE_SEPARATION

Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.9
  • CIS GCP Foundation 1.1: 1.11
  • CIS GCP Foundation 2.0: 1.11
  • NIST 800-53 R4: AC-5
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.10.1.2, A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3
 Checks IAM allow policies in resource metadata and retrieves principals assigned any of the following roles at the same time: roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, and roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, roles/cloudkms.signerVerifier, roles/cloudkms.publicKeyViewer.
  • Real-time scans: Yes

Category name in the API: NON_ORG_IAM_MEMBER

Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.1
  • CIS GCP Foundation 1.1: 1.1
  • CIS GCP Foundation 1.2: 1.1
  • CIS GCP Foundation 1.3: 1.1
  • CIS GCP Foundation 2.0: 1.1
  • CIS GCP Foundation 3.0: 1.1
  • NIST 800-53 R4: AC-3
  • PCI-DSS v3.2.1: 7.1.2
  • ISO-27001 v2013: A.9.2.3

Compares @gmail.com email addresses in the user field in IAM allow policy metadata to a list of approved identities for your organization.

  • Real-time scans: Yes

Category name in the API: OPEN_GROUP_IAM_MEMBER

Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

 Checks the IAM policy in resource metadata for any bindings containing a member (principal) that's prefixed with group. If the group is an open group, Security Health Analytics generates this finding.
  • Additional inputs: Reads Google group metadata to check whether the group identified is an open group.
  • Real-time scans: No

Category name in the API: OVER_PRIVILEGED_SERVICE_ACCOUNT_USER

Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.5
  • CIS GCP Foundation 1.1: 1.6
  • CIS GCP Foundation 1.2: 1.6
  • CIS GCP Foundation 1.3: 1.6
  • CIS GCP Foundation 2.0: 1.6
  • CIS GCP Foundation 3.0: 1.6
  • NIST 800-53 R4: AC-6
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1.2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3
 Checks the IAM allow policy in resource metadata for any principals assigned roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator at the project level.
  • Assets excluded from scans: Cloud Build service accounts
  • Real-time scans: Yes

Category name in the API: PRIMITIVE_ROLES_USED

Finding description: A user has one of the following basic roles:

  • Owner (roles/owner)
  • Editor (roles/editor)
  • Viewer (roles/viewer)

These roles are too permissive and shouldn't be used.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • NIST 800-53 R4: AC-6
  • PCI-DSS v3.2.1: 7.1.2
  • ISO-27001 v2013: A.9.2.3

Checks the IAM allow policy in resource metadata for any principals that are assigned a roles/owner, roles/editor, or roles/viewer role.

  • Real-time scans: Yes

Category name in the API: REDIS_ROLE_USED_ON_ORG

Finding description: A Redis IAM role is assigned at the organization or folder level.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 7.1.2
  • ISO-27001 v2013: A.9.2.3

Checks the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.

  • Real-time scans: Yes

Category name in the API: SERVICE_ACCOUNT_ROLE_SEPARATION

Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.7
  • CIS GCP Foundation 1.1: 1.8
  • CIS GCP Foundation 1.2: 1.8
  • CIS GCP Foundation 1.3: 1.8
  • CIS GCP Foundation 2.0: 1.8
  • CIS GCP Foundation 3.0: 1.8
  • NIST 800-53 R4: AC-5
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3
 Checks the IAM allow policy in resource metadata for any principals assigned both roles/iam.serviceAccountUser and roles/iam.serviceAccountAdmin.
  • Real-time scans: Yes

Category name in the API: SERVICE_ACCOUNT_KEY_NOT_ROTATED

Finding description: A service account key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
iam.googleapis.com/ServiceAccountKey

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.6
  • CIS GCP Foundation 1.1: 1.7
  • CIS GCP Foundation 1.2: 1.7
  • CIS GCP Foundation 1.3: 1.7
  • CIS GCP Foundation 2.0: 1.7
  • CIS GCP Foundation 3.0: 1.7

Evaluates the key creation timestamp captured in the validAfterTime property in service accounts key metadata.

  • Assets excluded from scans: Expired service account keys and keys not managed by users
  • Real-time scans: Yes

Category name in the API: USER_MANAGED_SERVICE_ACCOUNT_KEY

Finding description: A user manages a service account key.

Pricing tier: Premium

Supported assets
iam.googleapis.com/ServiceAccountKey

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.3
  • CIS GCP Foundation 1.1: 1.4
  • CIS GCP Foundation 1.2: 1.4
  • CIS GCP Foundation 1.3: 1.4
  • CIS GCP Foundation 2.0: 1.4
  • CIS GCP Foundation 3.0: 1.4

Checks whether the keyType property in service account key metadata is set to User_Managed.

  • Real-time scans: Yes

KMS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud KMS configurations, and belong to the KMS_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: KMS_KEY_NOT_ROTATED

Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.8
  • CIS GCP Foundation 1.1: 1.10
  • CIS GCP Foundation 1.2: 1.10
  • CIS GCP Foundation 1.3: 1.10
  • CIS GCP Foundation 2.0: 1.10
  • NIST 800-53 R4: SC-12
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v3.2.1: 3.5
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2013: A.10.1.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks resource metadata for the existence of rotationPeriod or nextRotationTime properties.

  • Assets excluded from scans: Asymmetric keys and keys with disabled or destroyed primary versions
  • Real-time scans: Yes

Category name in the API: KMS_PROJECT_HAS_OWNER

Finding description: A user has Owner permissions on a project that has cryptographic keys.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 1.11
  • CIS GCP Foundation 1.2: 1.11
  • CIS GCP Foundation 1.3: 1.11
  • CIS GCP Foundation 2.0: 1.11
  • NIST 800-53 R4: AC-6, SC-12
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 3.5
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.10.1.2, A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy in project metadata for principals assigned roles/Owner.

  • Additional inputs: Reads cryptokeys for a project from storage, filing findings only for projects with cryptokeys
  • Real-time scans: Yes, but only on changes to IAM allow policy, not on changes to KMS keys

Category name in the API: KMS_PUBLIC_KEY

Finding description: A Cloud KMS cryptographic key is publicly accessible.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey
cloudkms.googleapis.com/KeyRing

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 1.9
  • CIS GCP Foundation 1.2: 1.9
  • CIS GCP Foundation 1.3: 1.9
  • CIS GCP Foundation 2.0: 1.9
  • CIS GCP Foundation 3.0: 1.9
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes

Category name in the API: TOO_MANY_KMS_USERS

Finding description: There are more than three users of cryptographic keys.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 3.5.2
  • ISO-27001 v2013: A.9.2.3
 Checks IAM allow policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.
  • Additional inputs: Reads cryptokey versions for a cryptokey from storage, filing findings only for keys with active versions. The detector also reads key ring, project, and organization IAM allow policies from storage
  • Real-time scans: Yes

Logging vulnerability findings

Vulnerabilities of this detector type all relate to logging configurations, and belong to the LOGGING_SCANNER detector type.

Detector Summary Asset scan settings

Category name in the API: AUDIT_LOGGING_DISABLED

Finding description: Audit logging has been disabled for this resource.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.1
  • CIS GCP Foundation 1.1: 2.1
  • CIS GCP Foundation 1.2: 2.1
  • CIS GCP Foundation 1.3: 2.1
  • CIS GCP Foundation 2.0: 2.1
  • CIS GCP Foundation 3.0: 2.1
  • NIST 800-53 R4: AC-2, AU-2
  • NIST 800-53 R5: AU-6, AU-7
  • PCI-DSS v3.2.1: 10.1, 10.2
  • PCI-DSS v4.0: 10.4.1, 10.4.1.1, 10.4.2, 10.4.3
  • ISO-27001 v2013: A.12.4.1, A.16.1.7
  • ISO-27001 v2022: A.5.25
  • Cloud Controls Matrix 4: LOG-05
  • NIST Cybersecurity Framework 1.0: DE-AE-2, PR-PT-1, RS-AN-1
  • SOC2 v2017: CC4.1.1, CC4.1.2, CC4.1.3, CC4.1.4, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.3.1, CC7.3.2, CC7.3.3, CC7.3.4, CC7.3.5
  • HIPAA: 164.308(a)(1)(ii), 164.312(b)
  • CIS Controls 8.0: 8.11, 8.2

Checks the IAM allow policy in resource metadata for the existence of an auditLogConfigs object.

  • Real-time scans: Yes

Category name in the API: BUCKET_LOGGING_DISABLED

Finding description: There is a storage bucket without logging enabled.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 5.3

Checks whether the logBucket field in the bucket's logging property is empty.

  • Real-time scans: Yes

Category name in the API: LOCKED_RETENTION_POLICY_NOT_SET

Finding description: A locked retention policy is not set for logs.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 2.3
  • CIS GCP Foundation 1.2: 2.3
  • CIS GCP Foundation 1.3: 2.3
  • CIS GCP Foundation 2.0: 2.3
  • CIS GCP Foundation 3.0: 2.3
  • NIST 800-53 R4: AU-11
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 10.5
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.12.4.2, A.18.1.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the isLocked field in the bucket's retentionPolicy property is set to true.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes

Category name in the API: LOG_NOT_EXPORTED

Finding description: There is a resource that doesn't have an appropriate log sink configured.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.2
  • CIS GCP Foundation 1.1: 2.2
  • CIS GCP Foundation 1.2: 2.2
  • CIS GCP Foundation 1.3: 2.2
  • CIS GCP Foundation 2.0: 2.2
  • CIS GCP Foundation 3.0: 2.2
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2013: A.18.1.3
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.3

Retrieves a logSink object in a project, checking that the includeChildren field is set to true, the destination field includes the location to write logs to, and the filter field is populated.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only on project changes, not if log export is set up on folder or organization

Category name in the API: OBJECT_VERSIONING_DISABLED

Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.3
  • NIST 800-53 R4: AU-11
  • PCI-DSS v3.2.1: 10.5
  • ISO-27001 v2013: A.12.4.2, A.18.1.3

Checks whether the enabled field in the bucket's versioning property is set to true.

  • Assets excluded from scans: Cloud Storage buckets with a locked retention policy
  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only if object versioning changes, not if log buckets are created

Monitoring vulnerability findings

Vulnerabilities of this detector type all relate to monitoring configurations, and belong to the MONITORING_SCANNER type. All Monitoring detector finding properties include:

  • The RecommendedLogFilter to use in creating the log metrics.
  • The QualifiedLogMetricNames that cover the conditions listed in the recommended log filter.
  • TheAlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
Detector Summary Asset scan settings

Category name in the API: AUDIT_CONFIG_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.5
  • CIS GCP Foundation 1.1: 2.5
  • CIS GCP Foundation 1.2: 2.5
  • CIS GCP Foundation 1.3: 2.5
  • CIS GCP Foundation 2.0: 2.5
  • CIS GCP Foundation 3.0: 2.5
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*, and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Category name in the API: BUCKET_IAM_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.10
  • CIS GCP Foundation 1.1: 2.10
  • CIS GCP Foundation 1.2: 2.10
  • CIS GCP Foundation 1.3: 2.10
  • CIS GCP Foundation 2.0: 2.10
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions". The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Category name in the API: CUSTOM_ROLE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.6
  • CIS GCP Foundation 1.1: 2.6
  • CIS GCP Foundation 1.2: 2.6
  • CIS GCP Foundation 1.3: 2.6
  • CIS GCP Foundation 2.0: 2.6
  • CIS GCP Foundation 3.0: 2.6
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to resource.type="iam_role" AND (protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Category name in the API: FIREWALL_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.7
  • CIS GCP Foundation 1.1: 2.7
  • CIS GCP Foundation 1.2: 2.7
  • CIS GCP Foundation 1.3: 2.7
  • CIS GCP Foundation 2.0: 2.7
  • CIS GCP Foundation 3.0: 2.7
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.delete"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Category name in the API: NETWORK_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC network changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.9
  • CIS GCP Foundation 1.1: 2.9
  • CIS GCP Foundation 1.2: 2.9
  • CIS GCP Foundation 1.3: 2.9
  • CIS GCP Foundation 2.0: 2.9
  • CIS GCP Foundation 3.0: 2.9
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_network" AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Category name in the API: OWNER_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.4
  • CIS GCP Foundation 1.1: 2.4
  • CIS GCP Foundation 1.2: 2.4
  • CIS GCP Foundation 1.3: 2.4
  • CIS GCP Foundation 2.0: 2.4
  • CIS GCP Foundation 3.0: 2.4
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2
 Checks whether the filter property of the project's LogsMetric resource is set to (protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"), and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Category name in the API: ROUTE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.8
  • CIS GCP Foundation 1.1: 2.8
  • CIS GCP Foundation 1.2: 2.8
  • CIS GCP Foundation 1.3: 2.8
  • CIS GCP Foundation 2.0: 2.8
  • CIS GCP Foundation 3.0: 2.8
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

SQL_INSTANCE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.8
  • CIS GCP Foundation 1.1: 2.8
  • CIS GCP Foundation 1.2: 2.8
  • CIS GCP Foundation 1.3: 2.8
  • CIS GCP Foundation 2.0: 2.8
  • CIS GCP Foundation 3.0: 2.8
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
 Checks whether the filter property of the project's LogsMetric resource is set to protoPayload.methodName="cloudsql.instances.update" OR protoPayload.methodName="cloudsql.instances.create" OR protoPayload.methodName="cloudsql.instances.delete", and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Multi-factor authentication findings

The MFA_SCANNER detector identifies vulnerabilities related to multi-factor authentication for users.

Detector Summary Asset scan settings

Category name in the API: MFA_NOT_ENFORCED

There are users who aren't using 2-Step Verification.

Google Workspace lets you specify an enrollment grace period for new users during which they must enroll in 2-Step Verification. This detector does create findings for users during the enrollment grace period.

This finding isn't available for project-level activations.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.2
  • CIS GCP Foundation 1.1: 1.2
  • CIS GCP Foundation 1.2: 1.2
  • CIS GCP Foundation 1.3: 1.2
  • CIS GCP Foundation 2.0: 1.2
  • CIS GCP Foundation 3.0: 1.2
  • NIST 800-53 R4: IA-2
  • PCI-DSS v3.2.1: 8.3
  • ISO-27001 v2013: A.9.4.2
  • ISO-27001 v2022: A.8.5

Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.

  • Assets excluded from scans: Organization units granted exceptions to the policy
  • Additional inputs: Reads data from Google Workspace
  • Real-time scans: No

Network vulnerability findings

Vulnerabilities of this detector type all relate to an organization's network configurations, and belong to theNETWORK_SCANNERtype.

Detector Summary Asset scan settings

Category name in the API: DEFAULT_NETWORK

Finding description: The default network exists in a project.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.1
  • CIS GCP Foundation 1.1: 3.1
  • CIS GCP Foundation 1.2: 3.1
  • CIS GCP Foundation 1.3: 3.1
  • CIS GCP Foundation 2.0: 3.1
  • CIS GCP Foundation 3.0: 3.1
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks whether the name property in network metadata is set to default

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Real-time scans: Yes

Category name in the API: DNS_LOGGING_DISABLED

Finding description: DNS logging on a VPC network is not enabled.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network
dns.googleapis.com/Policy

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 2.12
  • CIS GCP Foundation 1.3: 2.12
  • CIS GCP Foundation 2.0: 2.12
  • CIS GCP Foundation 3.0: 2.12
  • NIST 800-53 R5: AU-6, AU-7
  • PCI-DSS v4.0: 10.4.1, 10.4.1.1, 10.4.2, 10.4.3
  • ISO-27001 v2022: A.5.25
  • Cloud Controls Matrix 4: LOG-05
  • NIST Cybersecurity Framework 1.0: DE-AE-2, PR-PT-1, RS-AN-1
  • SOC2 v2017: CC4.1.1, CC4.1.2, CC4.1.3, CC4.1.4, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.3.1, CC7.3.2, CC7.3.3, CC7.3.4, CC7.3.5
  • HIPAA: 164.308(a)(1)(ii), 164.312(b)
  • CIS Controls 8.0: 8.11, 8.2, 8.6

Checks all policies that are associated with a VPC network through the networks[].networkUrl field, and looks for at least one policy that has enableLogging set to true.

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Real-time scans: Yes

Category name in the API: LEGACY_NETWORK

Finding description: A legacy network exists in a project.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.2
  • CIS GCP Foundation 1.1: 3.2
  • CIS GCP Foundation 1.2: 3.2
  • CIS GCP Foundation 1.3: 3.2
  • CIS GCP Foundation 2.0: 3.2
  • CIS GCP Foundation 3.0: 3.2
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks network metadata for existence of the IPv4Range property.

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Real-time scans: Yes

Category name in the API: LOAD_BALANCER_LOGGING_DISABLED

Finding description: Logging is disabled for the load balancer.

Pricing tier: Premium

Supported assets
compute.googleapis.com/BackendServices

Fix this finding

Compliance standards:

  • CIS GCP Foundation 2.0: 2.16
  • CIS GCP Foundation 3.0: 2.16
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2

Checks whether the enableLogging property of the backend service on the load balancer is set to true.

  • Real-time scans: Yes

Organization Policy vulnerability findings

Vulnerabilities of this detector type all relate to configurations of Organization Policy constraints, and belong to the ORG_POLICY type.

Detector Summary Asset scan settings

Category name in the API: ORG_POLICY_CONFIDENTIAL_VM_POLICY

 Finding description: A Compute Engine resource is out of compliance with the constraints/compute.restrictNonConfidentialComputing organization policy. For more information about this org policy constraint, see Enforcing organization policy constraints in Confidential VM.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks whether the enableConfidentialCompute property of a Compute Engine instance is set to true.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: permissions/orgpolicy.policy.get
  • Additional inputs: Reads the effective org policy from the org policy service
  • Real-time scans: No

Category name in the API: ORG_POLICY_LOCATION_RESTRICTION

 Finding description: A Compute Engine resource is out of compliance with the constraints/gcp.resourceLocations constraint. For more information about this org policy constraint, see Enforcing organization policy constraints.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
In the following row, see Supported assets for ORG_POLICY_LOCATION_RESTRICTION

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the listPolicy property in the metadata of supported resources for a list of allowed or denied locations.

  • Additional IAM permissions: permissions/orgpolicy.policy.get
  • Additional inputs: Reads the effective org policy from the org policy service
  • Real-time scans: No

Supported assets for ORG_POLICY_LOCATION_RESTRICTION

Compute Engine
compute.googleapis.com/Autoscaler
compute.googleapis.com/Address
compute.googleapis.com/Commitment
compute.googleapis.com/Disk
compute.googleapis.com/ForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Image
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/InstanceGroupManager
compute.googleapis.com/InterconnectAttachment
compute.googleapis.com/NetworkEndpointGroup
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate