Risk Engine feature support

This page describes the services and findings that the Security Command Center Risk Engine feature supports and the supportability limits it is subject to.

Risk Engine generates attack exposure scores and paths for the following:

The following sections list the Security Command Center services and findings that are supported by Risk Engine.

Organization-level support only

The attack path simulations that Risk Engine uses to generate the attack exposure scores and attack paths require Security Command Center to be activated at the organization level. Attack path simulations are not supported with project-level activations of Security Command Center.

To view attack paths, your Google Cloud console view must be set to your organization. If you select a project or folder view in the Google Cloud console, you can see attack exposure scores, but you cannot see the attack paths.

Also, the IAM permissions that users need to view attack paths must be granted at the organization level. At a minimum, users must have the securitycenter.attackpaths.list permission in a role granted at the organization level. The least permissive predefined IAM role that contains this permission is Security Center Attack Paths Reader (securitycenter.attackPathsViewer).

To see other roles that contain this permission, see IAM basic and predefined roles reference.

Size limits for organizations

For attack path simulations, Risk Engine limits the number of active assets and active findings that an organization can contain.

If an organization exceeds the limits shown in the following table, attack path simulations don't run.

Type of limit Usage limit
Maximum number of active findings 250,000,000
Maximum number of active assets 26,000,000

If the assets, findings, or both in your organization are approaching these limits or exceed them, contact Cloud Customer Care to request an evaluation of your organization for a possible increase.

Google Cloud services included in attack path simulations

The simulations that Risk Engine runs can include the following Google Cloud services:

  • Artifact Registry
  • BigQuery
  • Cloud Run functions
  • Cloud Key Management Service
  • Cloud Load Balancing
  • Cloud NAT
  • Cloud Router
  • Cloud SQL
  • Cloud Storage
  • Compute Engine
  • Identity and Access Management
  • Google Kubernetes Engine
  • Virtual Private Cloud, including subnets and firewall configurations
  • Resource Manager

High-value resource set limits

A high-value resource set supports only certain resource types and can contain only a certain number of resource instances.

Instance limit for high-value resource sets

A high-value resource set for a cloud service provider platform can contain up to 1,000 resource instances.

Resource types supported in high-value resource sets

You can add only the following types of Google Cloud resources to a high-value resource set:

  • aiplatform.googleapis.com/Dataset
  • aiplatform.googleapis.com/Featurestore
  • aiplatform.googleapis.com/MetadataStore
  • aiplatform.googleapis.com/Model
  • aiplatform.googleapis.com/TrainingPipeline
  • bigquery.googleapis.com/Dataset
  • cloudfunctions.googleapis.com/CloudFunction
  • compute.googleapis.com/Instance
  • container.googleapis.com/Cluster
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

For a list of supported resource types for other cloud service providers, see Cloud service provider support.

Resource value configuration limit

You can create up to 100 resource value configurations per organization on Google Cloud.

Google Cloud resource types supported with data-sensitivity classifications

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following data resource types:

  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Supported finding categories

Attack path simulations generate attack exposure scores and attack paths for only the Security Command Center finding categories from the Security Command Center detection services that are listed in this section.

GKE Security Posture findings

The following GKE Security Posture finding categories are supported by attack path simulations:

  • GKE runtime OS vulnerability

Mandiant Attack Surface Management findings

The following Mandiant Attack Surface Management finding categories are supported by attack path simulations:

  • Software vulnerability

Risk Engine findings

The Toxic combination finding category that is issued by Risk Engine supports attack exposure scores.

Security Health Analytics findings

The following Security Health Analytics findings are supported by attack path simulations on Google Cloud:

  • Admin service account
  • Auto repair disabled
  • Auto upgrade disabled
  • Binary authorization disabled
  • Bucket policy only disabled
  • Cluster private Google access disabled
  • Cluster secrets encryption disabled
  • Cluster shielded nodes disabled
  • Compute project wide SSH keys allowed
  • Compute Secure Boot disabled
  • Compute Serial Ports Enabled
  • COS not used
  • Default service account used
  • Full API access
  • Master authorized networks disabled
  • MFA not enforced
  • Network policy disabled
  • Nodepool secure boot disabled
  • Open Cassandra port
  • Open ciscosecure websm port
  • Open directory services port
  • Open DNS port
  • Open elasticsearch port
  • Open firewall
  • Open FTP port
  • Open HTTP port
  • Open LDAP port
  • Open Memcached port
  • Open MongoDB port
  • Open MySQL port
  • Open NetBIOS port
  • Open OracleDB port
  • Open pop3 port
  • Open PostgreSQL port
  • Open RDP port
  • Open Redis port
  • Open SMTP port
  • Open SSH port
  • Open Telnet port
  • Over privileged account
  • Over privileged scopes
  • Over privileged service account user
  • Primitive roles used
  • Private cluster disabled
  • Public Bucket Acl
  • Public IP address
  • Public Log Bucket
  • Release channel disabled
  • Service account key not rotated
  • User managed service account key
  • Workload Identity disabled

VM Manager findings

The OS Vulnerability finding category that is issued by VM Manager supports attack exposure scores.

Pub/Sub notification support

Changes to attack exposure scores cannot be used as a trigger for notifications to Pub/Sub.

Also findings sent to Pub/Sub when the findings are created do not include an attack exposure score because they are sent before a score can be calculated.

Multicloud support

Security Command Center can provide attack exposure scores and attack path visualizations for the following cloud service providers:

The vulnerability and misconfiguration detectors that attack path simulations support for other cloud service provider platforms depends on the detections that the Security Command Center detection services support on the platform.

Detector support differs for each cloud service provider.

AWS support

Security Command Center can calculate attack exposure scores and attack path visualizations for your resources on AWS.

AWS services supported by attack path simulations

The simulations can include the following AWS services:

  • Identity and Access Management (IAM)
  • Security Token Service (STS)
  • Simple Storage Service (S3)
  • Web Application Firewall (WAFv2)
  • Elastic Compute Cloud (EC2)
  • Elastic Load Balancing (ELB & ELBv2)
  • Relational Database Service (RDS)
  • Key Management Service (KMS)
  • Elastic Container Registry (ECR)
  • Elastic Container Service (ECS)
  • ApiGateway & ApiGatewayv2
  • Organizations (Account Management Service)
  • CloudFront
  • AutoScaling
  • Lambda
  • DynamoDB

AWS resource types supported in high-value resource sets

You can add only the following types of AWS resources to a high-value resource set:

  • DynamoDB table
  • EC2 instance
  • Lambda function
  • RDS DBCluster
  • RDS DBInstance
  • S3 bucket

AWS resource types supported with data-sensitivity classifications

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following AWS data resource types:

  • Amazon S3 bucket

Finding support in Security Health Analytics for AWS

Attack path simulations provides scores and attack path visualizations for the following Security Health Analytics finding categories:

  • Access keys rotated 90 days less
  • Credentials unused 45 days greater disabled
  • Default security group VPC restricts all traffic
  • EC2 instance no public IP
  • IAM password policy
  • IAM password policy prevents password reuse
  • IAM password policy requires minimum length 14 greater
  • IAM user unused credentials check
  • IAM users receive permissions groups
  • KMS cmk not scheduled for deletion
  • MFA delete enabled S3 buckets
  • MFA enabled root user account
  • Multi factor authentication MFA enabled all IAM users console
  • No root user account access key exists
  • No security groups allow ingress 0 remote server administration
  • No security groups allow ingress 0 0 0 0 remote server administration
  • One active access key available any single IAM user
  • Public access given RDS instance
  • Restricted common ports
  • Restricted SSH
  • Rotation customer created CMKS enabled
  • Rotation customer created symmetric CMKS enabled
  • S3 buckets configured block public access bucket settings
  • S3 bucket policy set deny HTTP requests
  • S3 default encryption KMS
  • VPC default security group closed

Vulnerability Assessment findings

The Software vulnerability finding category that is issued by EC2 Vulnerability Assessment supports attack exposure scores.

User interface support

You can work with attack exposure scores in either the Google Cloud console, the Security Operations console, or the Security Command Center API.

You can work with attack exposure scores and attack paths for toxic combination cases in the Security Operations console only.

You can create resource value configurations only on the Attack path simulations tab of the Security Command Center Settings page in the Google Cloud console.