Risk Engine feature support

This page describes the services and findings that the Security Command Center Risk Engine feature supports and the supportability limits it is subject to.

Risk Engine generates attack exposure scores and attack path simulations for the following:

Security Command Center can provide attack exposure scores and attack path visualizations for multiple cloud service provider platforms. Detector support differs for each cloud service provider. Risk Engine depends on vulnerability and misconfiguration detectors that are specific to each cloud service provider. The following sections describe the scope of support for each.

Organization-level support only

The attack path simulations that Risk Engine uses to generate the attack exposure scores and attack paths require Security Command Center to be activated at the organization level. Attack path simulations are not supported with project-level activations of Security Command Center.

To view attack paths, your Google Cloud console view must be set to your organization. If you select a project or folder view in the Google Cloud console, you can see attack exposure scores, but you cannot see the attack paths.

Also, the IAM permissions that users need to view attack paths must be granted at the organization level. At a minimum, users must have the securitycenter.attackpaths.list permission in a role granted at the organization level. The least permissive predefined IAM role that contains this permission is Security Center Attack Paths Reader (securitycenter.attackPathsViewer).

To see other roles that contain this permission, see IAM basic and predefined roles reference.

Size limits for organizations

For attack path simulations, Risk Engine limits the number of active assets and active findings that an organization can contain.

If an organization exceeds the limits shown in the following table, attack path simulations don't run.

Type of limit Usage limit
Maximum number of active findings 250,000,000
Maximum number of active assets 26,000,000

If the assets, findings, or both in your organization are approaching these limits or exceed them, contact Cloud Customer Care to request an evaluation of your organization for a possible increase.

High-value resource set limits

A high-value resource set supports only certain resource types and can contain only a certain number of resource instances.

  • A high-value resource set for a cloud service provider platform can contain up to 1,000 resource instances.

  • You can create up to 100 resource value configurations per organization on Google Cloud.

User interface support

You can work with attack exposure scores in either the Google Cloud console, the Security Operations console, or the Security Command Center API.

You can work with attack exposure scores and attack paths for toxic combination cases in the Security Operations console only.

You can create resource value configurations only on the Attack path simulations tab of the Security Command Center Settings page in the Google Cloud console.

Google Cloud support

The following sections describes Risk Engine support for Google Cloud.

Google Cloud services supported by Risk Engine

The simulations that Risk Engine runs can include the following Google Cloud services:

  • Artifact Registry
  • BigQuery
  • Cloud Run functions
  • Cloud Key Management Service
  • Cloud Load Balancing
  • Cloud NAT
  • Cloud Router
  • Cloud SQL
  • Cloud Storage
  • Compute Engine
  • Identity and Access Management
  • Google Kubernetes Engine
  • Virtual Private Cloud, including subnets and firewall configurations
  • Resource Manager

Google Cloud resource types supported in high-value resource sets

You can add only the following types of Google Cloud resources to a high-value resource set:

  • aiplatform.googleapis.com/Dataset
  • aiplatform.googleapis.com/Featurestore
  • aiplatform.googleapis.com/MetadataStore
  • aiplatform.googleapis.com/Model
  • aiplatform.googleapis.com/TrainingPipeline
  • bigquery.googleapis.com/Dataset
  • cloudfunctions.googleapis.com/CloudFunction
  • compute.googleapis.com/Instance
  • container.googleapis.com/Cluster
  • spanner.googleapis.com/Instance
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Google Cloud resource types supported with data-sensitivity classifications

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following data resource types:

  • aiplatform.googleapis.com/Dataset
  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Supported finding categories

Attack path simulations generate attack exposure scores and attack paths for only the Security Command Center finding categories from the Security Command Center detection services that are listed in this section.

GKE Security Posture findings

The following GKE Security Posture finding categories are supported by attack path simulations:

  • GKE runtime OS vulnerability

Mandiant Attack Surface Management findings

The following Mandiant Attack Surface Management finding categories are supported by attack path simulations:

  • Software vulnerability

Risk Engine findings

The Toxic combination finding category that is generated by Risk Engine supports attack exposure scores.

VM Manager findings

The OS Vulnerability finding category that is generated by VM Manager supports attack exposure scores.

Pub/Sub notification support

Changes to attack exposure scores cannot be used as a trigger for notifications to Pub/Sub.

Also, findings sent to Pub/Sub when the findings are created don't include an attack exposure score because they are sent before a score can be calculated.

AWS support

Security Command Center can calculate attack exposure scores and attack path visualizations for your resources on AWS.

AWS services supported by Risk Engine

The simulations can include the following AWS services:

  • Identity and Access Management (IAM)
  • Security Token Service (STS)
  • Simple Storage Service (S3)
  • Web Application Firewall (WAFv2)
  • Elastic Compute Cloud (EC2)
  • Elastic Load Balancing (ELB & ELBv2)
  • Relational Database Service (RDS)
  • Key Management Service (KMS)
  • Elastic Container Registry (ECR)
  • Elastic Container Service (ECS)
  • ApiGateway & ApiGatewayv2
  • Organizations (Account Management Service)
  • CloudFront
  • AutoScaling
  • Lambda
  • DynamoDB

AWS resource types supported in high-value resource sets

You can add only the following types of AWS resources to a high-value resource set:

  • DynamoDB table
  • EC2 instance
  • Lambda function
  • RDS DBCluster
  • RDS DBInstance
  • S3 bucket

AWS resource types supported with data-sensitivity classifications

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following AWS data resource types:

  • Amazon S3 bucket

Finding support in Security Health Analytics for AWS

Risk Engine provides scores and attack path visualizations for the following Security Health Analytics finding categories:

  • Access keys rotated 90 days less
  • Credentials unused 45 days greater disabled
  • Default security group VPC restricts all traffic
  • EC2 instance no public IP
  • IAM password policy
  • IAM password policy prevents password reuse
  • IAM password policy requires minimum length 14 greater
  • IAM user unused credentials check
  • IAM users receive permissions groups
  • KMS cmk not scheduled for deletion
  • MFA delete enabled S3 buckets
  • MFA enabled root user account
  • Multi factor authentication MFA enabled all IAM users console
  • No root user account access key exists
  • No security groups allow ingress 0 remote server administration
  • No security groups allow ingress 0 0 0 0 remote server administration
  • One active access key available any single IAM user
  • Public access given RDS instance
  • Restricted common ports
  • Restricted SSH
  • Rotation customer created CMKS enabled
  • Rotation customer created symmetric CMKS enabled
  • S3 buckets configured block public access bucket settings
  • S3 bucket policy set deny HTTP requests
  • S3 default encryption KMS
  • VPC default security group closed

Vulnerability Assessment for Amazon Web Services findings

The Software vulnerability finding category that is generated by EC2 Vulnerability Assessment supports attack exposure scores.

Azure support

Risk Engine can generate attack exposure scores and attack path visualizations for your resources on Microsoft Azure.

After you establish a connection to Azure, you can designate Azure high-value resources by creating resource value configurations, as you would for resources on Google Cloud and AWS. For instructions, see section Define and manage your high-value resource set.

Before you create your first resource value configuration for Azure, Security Command Center uses a default high-value resource set that is specific to the cloud service provider.

Security Command Center runs simulations for a cloud platform that are independent of simulations run for other cloud platforms.

Azure services supported by Risk Engine

The attack path simulations can include the following Azure services:

  • App Service
  • Azure Kubernetes Service (AKS)
  • Virtual Network
  • Container Registry
  • Cosmos DB
  • Functions
  • Key Vault
  • MySQL database
  • Network security groups
  • PostgreSQL database
  • Role-Based Access Control (RBAC)
  • Service Bus
  • SQL Database
  • Storage Account
  • Virtual Machine Scale Sets
  • Virtual Machines

Azure resource types you can specify in high-value resource sets

You can add only the following types of Azure resources to a high-value resource set:

  • Microsoft.Compute/virtualMachines
    • Linux VM
    • Windows VM
  • Microsoft.ContainerService/managedClusters
    • Kubernetes Cluster
  • Microsoft.DBforMySQL/flexibleServers/databases
    • MySQL Database
  • Microsoft.DBforPostgreSQL/flexibleServers/databases
    • PostgreSQL Database
  • Microsoft.DocumentDB/databaseAccounts
    • Cosmos DB Account
  • Microsoft.Sql/servers/databases
    • SQL Database
  • Microsoft.Storage/storageAccounts
    • Storage Account
  • Microsoft.Web/sites
    • App Service
    • Function App

Azure resources included in the default high-value resource set

The following are resources included in the default high-value resource set:

  • Microsoft.Compute/virtualMachines
    • Linux VM
    • Windows VM
  • Microsoft.DBforPostgreSQL/flexibleServers/databases
    • PostgreSQL Database
  • Microsoft.DBforMySQL/flexibleServers/databases
    • MySQL Database
  • Microsoft.DocumentDB/databaseAccounts
    • Cosmos DB Account
  • Microsoft.Sql/servers/databases
    • SQL Database
  • Microsoft.Storage/storageAccounts
    • Storage Account
  • Microsoft.Web/sites
    • App Service
    • Function App