Attack exposure feature support

This page describes the services and findings that the attack exposure feature supports and the supportability limits it is subject to.

Security Command Center generates attack exposure scores and paths for the following:

The following sections list the Security Command Center services and findings that are supported by attack exposure scores.

Organization-level support only

The attack path simulations that generate the attack exposure scores and attack paths require Security Command Center to be activated at the organization level. Attack path simulations are not supported with project-level activations of Security Command Center.

To view attack paths, your Google Cloud console view must be set to your organization. If you select a project or folder view in the Google Cloud console, you can see attack exposure scores, but you cannot see the attack paths.

Also, the IAM permissions that users need to view attack paths must be granted at the organization level. At a minimum, users must have the securitycenter.attackpaths.list permission in a role granted at the organization level. The least permissive predefined IAM role that contains this permission is Security Center Attack Paths Reader (securitycenter.attackPathsViewer).

To see other roles that contain this permission, see IAM basic and predefined roles reference.

Size limits for organizations

For attack path simulations, Security Command Center limits the number of active assets and active findings an organization can contain.

If an organization exceeds the limits shown in the following table, attack path simulations do not run.

Type of limit Usage limit
Maximum number of active findings 250,000,000
Maximum number of active assets 26,000,000

If the assets, findings, or both in your organization are approaching these limits or exceed them, contact Cloud Customer Care to request an evaluation of your organization for a possible increase.

Google Cloud services included in attack path simulations

The simulations can include the following Google Cloud services:

  • Artifact Registry
  • BigQuery
  • Cloud Functions
  • Cloud Key Management Service
  • Cloud Load Balancing
  • Cloud NAT
  • Cloud Router
  • Cloud SQL
  • Cloud Storage
  • Compute Engine
  • Identity and Access Management
  • Google Kubernetes Engine
  • Virtual Private Cloud, including subnets and firewall configurations
  • Resource Manager

High-value resource set limits

A high-value resource set supports only certain resource types and can contain only a certain number of resource instances.

Instance limit for high-value resource sets

A high-value resource set for a cloud service provider platform can contain up to 1,000 resource instances.

Resource types supported in high-value resource sets

You can add only the following types of Google Cloud resources to a high-value resource set:


For a list of supported resource types for other cloud service providers, see Cloud service provider support.

Resource value configuration limit

You can create up to 100 resource value configurations per organization on Google Cloud.

Resource types supported with data-sensitivity classifications

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection for only the following data resource types:


Supported finding categories

Attack path simulations generate attack exposure scores and attack paths for only the Security Command Center finding categories from the Security Command Center detection services that are listed in this section.

Mandiant Attack Surface Management findings

The following Mandiant Attack Surface Management finding categories are supported by attack path simulations:

  • Software vulnerability

Security Health Analytics findings

The following Security Health Analytics findings are supported by attack path simulations on Google Cloud:

  • Admin service account
  • Auto repair disabled
  • Auto upgrade disabled
  • Binary authorization disabled
  • Bucket policy only disabled
  • Cluster private Google access disabled
  • Cluster secrets encryption disabled
  • Cluster shielded nodes disabled
  • Compute project wide SSH keys allowed
  • Compute Secure Boot disabled
  • Compute Serial Ports Enabled
  • COS not used
  • Default service account used
  • Full API access
  • Master authorized networks disabled
  • MFA not enforced
  • Network policy disabled
  • Nodepool secure boot disabled
  • Open Cassandra port
  • Open ciscosecure websm port
  • Open directory services port
  • Open DNS port
  • Open elasticsearch port
  • Open firewall
  • Open FTP port
  • Open HTTP port
  • Open LDAP port
  • Open Memcached port
  • Open MongoDB port
  • Open MySQL port
  • Open NetBIOS port
  • Open OracleDB port
  • Open pop3 port
  • Open PostgreSQL port
  • Open RDP port
  • Open Redis port
  • Open SMTP port
  • Open SSH port
  • Open Telnet port
  • Over privileged account
  • Over privileged scopes
  • Over privileged service account user
  • Primitive roles used
  • Private cluster disabled
  • Public Bucket Acl
  • Public IP address
  • Public Log Bucket
  • Release channel disabled
  • Service account key not rotated
  • User managed service account key
  • Workload Identity disabled

Rapid Vulnerability Detection findings

The following Rapid Vulnerability Detection findings are supported by attack path simulations:

  • Weak Credentials
  • Elasticsearch Api Exposed
  • Exposed Grafana Endpoint
  • Exposed Metabase
  • Exposed Spring Boot Actuator Endpoint
  • Hadoop Yarn Unauthenticated Resource Manager Api
  • Java Jmx Rmi Exposed
  • Jupyter Notebook Exposed Ui
  • Kubernetes Api Exposed
  • Unfinished Wordpress Installation
  • Unauthenticated Jenkins New Item Console
  • Apache Httpd Rce
  • Apache Httpd Ssrf
  • Consul Rce
  • Druid Rce
  • Drupal Rce
  • Flink File Disclosure
  • Gitlab Rce
  • Go Cd Rce
  • Jenkins Rce
  • Joomla Rce
  • Log4j Rce
  • Mantisbt Privilege Escalation
  • Ognl Rce
  • Openam Rce
  • Oracle Weblogic Rce
  • Php Unit Rce
  • Php Cgi Rce
  • Portal Rce
  • Redis Rce
  • Solr File Exposed
  • Solr Rce
  • Struts Rce
  • Tomcat File Disclosure
  • Vbulletin Rce
  • Vcenter Rce
  • Weblogic Rce

VM Manager findings

The OS Vulnerability finding category that is issued by VM Manager supports attack exposure scores.

Pub/Sub notification support

Changes to attack exposure scores cannot be used as a trigger for notifications to Pub/Sub.

Also findings sent to Pub/Sub when the findings are created do not include an attack exposure score because they are sent before a score can be calculated.

Multicloud support

Security Command Center can provide attack exposure scores and attack path visualizations for the following cloud service providers:

  • Amazon Web Services (AWS)

Detector support for other cloud service providers

The vulnerability and misconfiguration detectors that attack path simulations support for other cloud service provider platforms depends on the detections that the Security Command Center detection services support on the platform.

Detector support differs for each cloud service provider.

AWS support

Security Command Center can calculate attack exposure scores and attack path visualizations for your resources on AWS.

AWS services supported by attack path simulations

The simulations can include the following AWS services:

  • Identity and Access Management (IAM)
  • Security Token Service (STS)
  • Simple Storage Service (S3)
  • Web Application Firewall (WAFv2)
  • Elastic Compute Cloud (EC2)
  • Elastic Load Balancing (ELB & ELBv2)
  • Relational Database Service (RDS)
  • Key Management Service (KMS)
  • Elastic Container Registry (ECR)
  • Elastic Container Service (ECS)
  • ApiGateway & ApiGatewayv2
  • Organizations (Account Management Service)
  • CloudFront
  • AutoScaling
  • Lambda
  • DynamoDB

AWS resource types you can specify as high-value resources

You can add only the following types of AWS resources to a high-value resource set:

  • DynamoDB table
  • EC2 instance
  • Lambda function
  • RDS DBCluster
  • RDS DBInstance
  • S3 bucket

Finding support for AWS

Attack path simulations provides scores and attack path visualizations for the following Security Health Analytics finding categories:

  • Access keys rotated 90 days less
  • Credentials unused 45 days greater disabled
  • Default security group VPC restricts all traffic
  • EC2 instance no public IP
  • IAM password policy
  • IAM password policy prevents password reuse
  • IAM password policy requires minimum length 14 greater
  • IAM user unused credentials check
  • IAM users receive permissions groups
  • KMS cmk not scheduled for deletion
  • MFA delete enabled S3 buckets
  • MFA enabled root user account
  • Multi factor authentication MFA enabled all IAM users console
  • No root user account access key exists
  • No security groups allow ingress 0 remote server administration
  • No security groups allow ingress 0 0 0 0 remote server administration
  • One active access key available any single IAM user
  • Public access given RDS instance
  • Restricted common ports
  • Restricted SSH
  • Rotation customer created CMKS enabled
  • Rotation customer created symmetric CMKS enabled
  • S3 buckets configured block public access bucket settings
  • S3 bucket policy set deny HTTP requests
  • S3 default encryption KMS
  • VPC default security group closed

User interface support

You can use either Security Command Center in the Google Cloud console or the Security Command Center API to work with attack exposure scores.

However, you can create resource value configurations only on the Attack path simulations tab of the Security Command Center Settings page in the Google Cloud console.