This page describes the services and findings that the Security Command Center Risk Engine feature supports and the supportability limits it is subject to.
Risk Engine generates attack exposure scores and attack path simulations for the following:
- Supported finding categories in the
Vulnerability
andMisconfiguration
finding classes. Toxic combination
class findings.- Resource instances of supported resource types that you designate as high value. For more information, see Resource types supported in high-value resource sets.
Security Command Center can provide attack exposure scores and attack path visualizations for multiple cloud service provider platforms. Detector support differs for each cloud service provider. Risk Engine depends on vulnerability and misconfiguration detectors that are specific to each cloud service provider. The following sections describe the scope of support for each.
Organization-level support only
The attack path simulations that Risk Engine uses to generate the attack exposure scores and attack paths require Security Command Center to be activated at the organization level. Attack path simulations are not supported with project-level activations of Security Command Center.
To view attack paths, your Google Cloud console view must be set to your organization. If you select a project or folder view in the Google Cloud console, you can see attack exposure scores, but you cannot see the attack paths.
Also, the IAM permissions that users need to view attack
paths must be granted at the organization level. At a minimum, users
must have the securitycenter.attackpaths.list
permission in a role
granted at the organization level. The least permissive predefined
IAM role that contains this permission is
Security Center Attack Paths Reader (securitycenter.attackPathsViewer
).
To see other roles that contain this permission, see IAM basic and predefined roles reference.
Size limits for organizations
For attack path simulations, Risk Engine limits the number of active assets and active findings that an organization can contain.
If an organization exceeds the limits shown in the following table, attack path simulations don't run.
Type of limit | Usage limit |
---|---|
Maximum number of active findings | 250,000,000 |
Maximum number of active assets | 26,000,000 |
If the assets, findings, or both in your organization are approaching these limits or exceed them, contact Cloud Customer Care to request an evaluation of your organization for a possible increase.
High-value resource set limits
A high-value resource set supports only certain resource types and can contain only a certain number of resource instances.
A high-value resource set for a cloud service provider platform can contain up to 1,000 resource instances.
You can create up to 100 resource value configurations per organization on Google Cloud.
User interface support
You can work with attack exposure scores in either the Google Cloud console, the Security Operations console, or the Security Command Center API.
You can work with attack exposure scores and attack paths for toxic combination cases in the Security Operations console only.
You can create resource value configurations only on the Attack path simulations tab of the Security Command Center Settings page in the Google Cloud console.
Google Cloud support
The following sections describes Risk Engine support for Google Cloud.
Google Cloud services supported by Risk Engine
The simulations that Risk Engine runs can include the following Google Cloud services:
- Artifact Registry
- BigQuery
- Cloud Run functions
- Cloud Key Management Service
- Cloud Load Balancing
- Cloud NAT
- Cloud Router
- Cloud SQL
- Cloud Storage
- Compute Engine
- Identity and Access Management
- Google Kubernetes Engine
- Virtual Private Cloud, including subnets and firewall configurations
- Resource Manager
Google Cloud resource types supported in high-value resource sets
You can add only the following types of Google Cloud resources to a high-value resource set:
aiplatform.googleapis.com/Dataset
aiplatform.googleapis.com/Featurestore
aiplatform.googleapis.com/MetadataStore
aiplatform.googleapis.com/Model
aiplatform.googleapis.com/TrainingPipeline
bigquery.googleapis.com/Dataset
cloudfunctions.googleapis.com/CloudFunction
compute.googleapis.com/Instance
container.googleapis.com/Cluster
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
Google Cloud resource types supported with data-sensitivity classifications
Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following data resource types:
aiplatform.googleapis.com/Dataset
bigquery.googleapis.com/Dataset
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
Supported finding categories
Attack path simulations generate attack exposure scores and attack paths for only the Security Command Center finding categories from the Security Command Center detection services that are listed in this section.
GKE Security Posture findings
The following GKE Security Posture finding categories are supported by attack path simulations:
- GKE runtime OS vulnerability
Mandiant Attack Surface Management findings
The following Mandiant Attack Surface Management finding categories are supported by attack path simulations:
- Software vulnerability
Risk Engine findings
The Toxic combination
finding category that is generated by
Risk Engine
supports attack exposure scores.
VM Manager findings
The OS Vulnerability
finding category that is generated by
VM Manager
supports attack exposure scores.
Pub/Sub notification support
Changes to attack exposure scores cannot be used as a trigger for notifications to Pub/Sub.
Also, findings sent to Pub/Sub when the findings are created don't include an attack exposure score because they are sent before a score can be calculated.
AWS support
Security Command Center can calculate attack exposure scores and attack path visualizations for your resources on AWS.
AWS services supported by Risk Engine
The simulations can include the following AWS services:
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Simple Storage Service (S3)
- Web Application Firewall (WAFv2)
- Elastic Compute Cloud (EC2)
- Elastic Load Balancing (ELB & ELBv2)
- Relational Database Service (RDS)
- Key Management Service (KMS)
- Elastic Container Registry (ECR)
- Elastic Container Service (ECS)
- ApiGateway & ApiGatewayv2
- Organizations (Account Management Service)
- CloudFront
- AutoScaling
- Lambda
- DynamoDB
AWS resource types supported in high-value resource sets
You can add only the following types of AWS resources to a high-value resource set:
- DynamoDB table
- EC2 instance
- Lambda function
- RDS DBCluster
- RDS DBInstance
- S3 bucket
AWS resource types supported with data-sensitivity classifications
Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following AWS data resource types:
- Amazon S3 bucket
Finding support in Security Health Analytics for AWS
Risk Engine provides scores and attack path visualizations for the following Security Health Analytics finding categories:
- Access keys rotated 90 days less
- Credentials unused 45 days greater disabled
- Default security group VPC restricts all traffic
- EC2 instance no public IP
- IAM password policy
- IAM password policy prevents password reuse
- IAM password policy requires minimum length 14 greater
- IAM user unused credentials check
- IAM users receive permissions groups
- KMS cmk not scheduled for deletion
- MFA delete enabled S3 buckets
- MFA enabled root user account
- Multi factor authentication MFA enabled all IAM users console
- No root user account access key exists
- No security groups allow ingress 0 remote server administration
- No security groups allow ingress 0 0 0 0 remote server administration
- One active access key available any single IAM user
- Public access given RDS instance
- Restricted common ports
- Restricted SSH
- Rotation customer created CMKS enabled
- Rotation customer created symmetric CMKS enabled
- S3 buckets configured block public access bucket settings
- S3 bucket policy set deny HTTP requests
- S3 default encryption KMS
- VPC default security group closed
Vulnerability Assessment for Amazon Web Services findings
The Software vulnerability
finding category that is generated by
EC2 Vulnerability Assessment
supports attack exposure scores.
Azure support
Risk Engine can generate attack exposure scores and attack path visualizations for your resources on Microsoft Azure.
After you establish a connection to Azure, you can designate Azure high-value resources by creating resource value configurations, as you would for resources on Google Cloud and AWS. For instructions, see section Define and manage your high-value resource set.
Before you create your first resource value configuration for Azure, Security Command Center uses a default high-value resource set that is specific to the cloud service provider.
Security Command Center runs simulations for a cloud platform that are independent of simulations run for other cloud platforms.
Azure services supported by Risk Engine
The attack path simulations can include the following Azure services:
- App Service
- Azure Kubernetes Service (AKS)
- Virtual Network
- Container Registry
- Cosmos DB
- Functions
- Key Vault
- MySQL database
- Network security groups
- PostgreSQL database
- Role-Based Access Control (RBAC)
- Service Bus
- SQL Database
- Storage Account
- Virtual Machine Scale Sets
- Virtual Machines
Azure resource types you can specify in high-value resource sets
You can add only the following types of Azure resources to a high-value resource set:
- Microsoft.Compute/virtualMachines
- Linux VM
- Windows VM
- Microsoft.ContainerService/managedClusters
- Kubernetes Cluster
- Microsoft.DBforMySQL/flexibleServers/databases
- MySQL Database
- Microsoft.DBforPostgreSQL/flexibleServers/databases
- PostgreSQL Database
- Microsoft.DocumentDB/databaseAccounts
- Cosmos DB Account
- Microsoft.Sql/servers/databases
- SQL Database
- Microsoft.Storage/storageAccounts
- Storage Account
- Microsoft.Web/sites
- App Service
- Function App
Azure resources included in the default high-value resource set
The following are resources included in the default high-value resource set:
- Microsoft.Compute/virtualMachines
- Linux VM
- Windows VM
- Microsoft.DBforPostgreSQL/flexibleServers/databases
- PostgreSQL Database
- Microsoft.DBforMySQL/flexibleServers/databases
- MySQL Database
- Microsoft.DocumentDB/databaseAccounts
- Cosmos DB Account
- Microsoft.Sql/servers/databases
- SQL Database
- Microsoft.Storage/storageAccounts
- Storage Account
- Microsoft.Web/sites
- App Service
- Function App