Investigate identity and access findings

This page explains how to work with findings for security issues that are related to identity and access (identity and access findings) in the Google Cloud console to investigate and identify potential misconfigurations.

As part of the Cloud Infrastructure Entitlement Management (CIEM) capabilities offered with the Enterprise tier, Security Command Center generates identity and access findings and makes them readily accessible on the Security Command Center Risk Overview page. These findings are curated and categorized under the Identity and access findings pane.

Before you begin

Make sure you have completed the following tasks before continuing:

View a summary of identity and access findings

The Identity and access findings pane on the Security Command Center Risk Overview page provides a high-level look at the top identity and access findings across your cloud environments, such as Google Cloud and Amazon Web Services (AWS). The pane consists of a table that organizes the findings across three columns:

  • Severity: The finding severity is a general indicator of how important it is to remediate the finding category, which can be classified as Critical, High, Medium, or Low.
  • Finding category: The type of identity and access misconfiguration found.
  • Cloud provider: The cloud environment where the misconfigurations were found.
  • Total findings: The total number of identity and access misconfigurations found in a category at a given severity classification.

To navigate the findings on the pane, you can sort them by severity, finding category, or number of total findings by clicking the respective header. You can also modify the number of rows the pane displays (up to 200) and navigate between pages using the navigation arrows at the bottom of the table.

You can click a category title or its corresponding total findings number to inspect specific findings in more detail on the Security Command Center Findings page. For more information, see Inspect identity and access findings in detail.

The following components below the findings table help provide additional context to your identity and access findings:

  • The Sources label indicates the source that Security Command Center is ingesting data from to produce the findings. The identity and access findings can apply to both Google Cloud and AWS environments and can come from different detectors such as CIEM, IAM recommender, Security Health Analytics, and Event Threat Detection. Security Command Center only displays identity and access findings for AWS if you've connected an AWS instance and configured AWS log ingestion for CIEM.
  • The View all identity and access findings link lets you navigate to the Security Command Center Findings page to view all detected identity and access misconfigurations regardless of category or severity.
  • The Review access with Policy Analyzer for Google Cloud link provides quick access to the Policy Analyzer tool, which lets you see who has access to what Google Cloud resources based on your IAM allow policies.

View identity and access findings on the Findings page

The Identity and access findings pane offers multiple entry points to the Security Command Center Findings page to inspect identity and access findings in detail:

  • Click any finding name under Finding category or its total findings number under Total findings to automatically query for that particular finding category and severity rating.
  • Click View all identity and access findings to query all the findings in no particular order.

Security Command Center preselects certain quick filters that create a findings query specifically for identity and access misconfigurations. The quick filter options change based on whether you query one or all identity and access findings. You can edit these queries as necessary. The particular quick filter categories and options that are of interest for CIEM purposes include:

  • Category: Filters to query the results for specific finding categories that you want to learn more about. The quick filter options listed in this category change based on whether you query one or all identity and access findings.
  • Project ID: Filters to query the results for findings that relate to a specific project.
  • Resource type: Filters to query the results for findings that relate to a specific resource type.
  • Severity: Filters to query the results for findings of a specific severity.
  • Source display name: Filters to query the results for findings detected by a specific service that detected the misconfiguration.
  • Cloud provider: Filters to query the results for findings that come from a specific cloud platform.

The Findings query results panel consists of several columns that provide details about the finding. Among them, the following columns are of interest for CIEM purposes:

  • Severity: Displays the severity of a given finding to help you prioritize remediation.
  • Resource display name: Displays the resource where the finding was detected.
  • Source display name: Displays the service that detected the finding. Sources that produce identity-related findings include CIEM, IAM recommender, Security Health Analytics, and Event Threat Detection.
  • Cloud provider: Displays the cloud environment where the finding was detected, such as Google Cloud and AWS.
  • Offending access grants: Displays a link to review the principals who were potentially granted inappropriate roles.
  • Case ID: Displays the ID number of the case that is related to the finding.

For more information about working with findings, see Review and manage findings.

Investigate identity and access findings for different cloud platforms

Security Command Center lets you investigate identity and access misconfiguration findings for your AWS and Google Cloud environments on the Security Command Center Findings page.

Many different Security Command Center detection services, such as CIEM, IAM recommender, Security Health Analytics, and Event Threat Detection generate CIEM-specific finding categories that detect potential identity and access security issues for your cloud platforms.

The Security Command Center CIEM detection service generates specific findings for your AWS environment, and the IAM recommender, Security Health Analytics, and Event Threat Detection detection services generate specific findings for your Google Cloud environment.

To view only findings detected by a specific service, select that service from the Source display name quick filters category. For example, if you want to view only findings detected by the CIEM detection service, select CIEM.

The following table describes all the findings that are considered part of Security Command Center's CIEM capabilities.

Cloud platform Finding category Description Source
AWS Assumed identity has excessive permissions (ASSUMED_IDENTITY_HAS_EXCESSIVE_PERMISSIONS) Assumed IAM roles detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. CIEM
AWS Group has excessive permissions (GROUP_HAS_EXCESSIVE_PERMISSIONS) AWS IAM or AWS IAM Identity Center groups detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. CIEM
AWS User has excessive permissions (USER_HAS_EXCESSIVE_PERMISSIONS) AWS IAM or AWS IAM Identity Center users detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. CIEM
AWS User is inactive (INACTIVE_USER) Inactive AWS IAM or AWS IAM Identity Center users are detected in your AWS environment. For more information, see CIEM findings. CIEM
AWS Group is inactive (INACTIVE_GROUP) AWS IAM or AWS IAM Identity Center groups detected in your AWS environment are not active. For more information, see CIEM findings. CIEM
AWS Assumed identity is inactive (INACTIVE_ASSUMED_IDENTITY) Assumed IAM roles detected in your AWS environment are inactive. For more information, see CIEM findings. CIEM
AWS Overly permissive trust policy enforced on assumed identity (OVERLY_PERMISSIVE_TRUST_POLICY_ENFORCED_ON_ASSUMED_IDENTITY) The trust policy enforced on an assumed IAM role is highly permissive. For more information, see CIEM findings. CIEM
AWS Assumed identity has lateral movement risk (ASSUMED_IDENTITY_HAS_LATERAL_MOVEMENT_RISK) One or more identities can move laterally in your AWS environment through role impersonation. For more information, see CIEM findings. CIEM
Google Cloud MFA not enforced (MFA_NOT_ENFORCED) There are users who aren't using 2-Step Verification. For more information, see Multi-factor authentication findings. Security Health Analytics
Google Cloud Custom role not monitored (CUSTOM_ROLE_NOT_MONITORED) Log metrics and alerts aren't configured to monitor Custom Role changes. For more information, see Monitoring vulnerability findings. Security Health Analytics
Google Cloud KMS role separation (KMS_ROLE_SEPARATION) Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Primitive roles used (PRIMITIVE_ROLES_USED) A user has one of the following basic roles: Owner (roles/owner), Editor (roles/editor), or Viewer (roles/viewer). For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Redis role used on org (REDIS_ROLE_USED_ON_ORG) A Redis IAM role is assigned at the organization or folder level. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Service account role separation (SERVICE_ACCOUNT_ROLE_SEPARATION) A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Non org IAM member (NON_ORG_IAM_MEMBER) There is a user who isn't using organizational credentials. Per CIS Google Cloud Foundations 1.0, only identities with @gmail.com email addresses trigger this detector. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Open group IAM member (OPEN_GROUP_IAM_MEMBER) A Google Groups account that can be joined without approval is used as an IAM allow policy principal. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Unused IAM role (UNUSED_IAM_ROLE) IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days. For more information, see IAM recommender findings. IAM recommender
Google Cloud IAM role has excessive permissions (IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS) IAM recommender detected a service account that has one or more IAM roles that give excessive permissions to the user account. For more information, see IAM recommender findings. IAM recommender
Google Cloud Service agent role replaced with basic role (SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE) IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and shouldn't be granted to service agents. For more information, see IAM recommender findings. IAM recommender
Google Cloud Service agent granted basic role (SERVICE_AGENT_GRANTED_BASIC_ROLE) IAM recommender detected IAM that a service agent was granted one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and shouldn't be granted to service agents. For more information, see IAM recommender findings. IAM recommender
Google Cloud Admin service account (ADMIN_SERVICE_ACCOUNT) A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Default service account used (DEFAULT_SERVICE_ACCOUNT_USED) An instance is configured to use the default service account. For more information, see Compute instance vulnerability findings. Security Health Analytics
Google Cloud Over privileged account (OVER_PRIVILEGED_ACCOUNT) A service account has overly broad project access in a cluster. For more information, see Container vulnerability findings. Security Health Analytics
Google Cloud Over privileged service account user (OVER_PRIVILEGED_SERVICE_ACCOUNT_USER) A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Service account key not rotated (SERVICE_ACCOUNT_KEY_NOT_ROTATED) A service account key hasn't been rotated for more than 90 days. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Over privileged scopes (OVER_PRIVILEGED_SCOPES) A node service account has broad access scopes. For more information, see Container vulnerability findings. Security Health Analytics
Google Cloud KMS public key (KMS_PUBLIC_KEY) A Cloud KMS cryptographic key is publicly accessible. For more information, see KMS vulnerability findings. Security Health Analytics
Google Cloud Public bucket ACL (PUBLIC_BUCKET_ACL) A Cloud Storage bucket is publicly accessible. For more information, see Storage vulnerability findings. Security Health Analytics
Google Cloud Public log bucket (PUBLIC_LOG_BUCKET) A storage bucket used as a log sink is publicly accessible. For more information, see Storage vulnerability findings. Security Health Analytics
Google Cloud User managed service account key (USER_MANAGED_SERVICE_ACCOUNT_KEY) A user manages a service account key. For more information, see IAM vulnerability findings. Security Health Analytics
Google Cloud Too many KMS users (TOO_MANY_KMS_USERS) There are more than three users of cryptographic keys. For more information, see KMS vulnerability findings. Security Health Analytics
Google Cloud KMS project has owner (KMS_PROJECT_HAS_OWNER) A user has Owner permissions on a project that has cryptographic keys. For more information, see KMS vulnerability findings. Security Health Analytics
Google Cloud Owner not monitored (OWNER_NOT_MONITORED) Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For more information, see Monitoring vulnerability findings. Security Health Analytics

Filter identity and access findings by cloud platform

From the Findings query results pane, you can tell what finding relates to a given cloud platform by inspecting the contents of the Cloud provider, Resource display name, or Resource type columns.

The Finding query results display identity and access findings for both Google Cloud and AWS environments by default. To edit the default finding query results to display only findings for a particular cloud platform, select Amazon Web Services or Google Cloud platform from the Cloud provider quick filters category.

Inspect identity and access findings in detail

To learn more about an identity and access finding, open the detailed view of the finding by clicking the finding name in the Category column in the Findings query results panel. For more information on the finding detail view, see View the details of a finding.

The following sections on the Summary tab of the detail view are helpful for investigating identity and access findings.

Offending access grants

On the Summary tab of the details pane of a finding, the Offending access grants row provides a way to quickly inspect principals, including federated identities, and their access to your resources. This information only appears for findings when IAM recommender detects principals on Google Cloud resources with highly permissive, basic, and unused roles.

Click Review offending access grants to open the Review offending access grants pane, which contains the following information:

  • The name of the principal. The principals displayed in this column can be a mix of Google Cloud user accounts, groups, federated identities, and service accounts.
  • The name of the role granted to the principal.
  • The recommended action you can take to remediate the offending access.

Case information

On the Summary tab of the details page of a finding, the Case information section displays when there is a case or ticket that corresponds with a particular finding. Cases and tickets are automatically created for findings with a Critical or High severity classification.

The Cases information section provides a way to track the remediation efforts for a particular finding. It provides details about the corresponding case, such as links to any corresponding case and ticketing system (Jira or ServiceNow) ticket, the assignee, case status, and case priority.

  • To access the case corresponding with the finding, click the case ID number in the Case ID row.

  • To access the Jira or ServiceNow ticket corresponding with the finding, click the ticket ID number in the Ticket ID row.

To connect your ticketing systems with Security Command Center Enterprise, see Integrate Security Command Center Enterprise with ticketing systems.

For more information on reviewing corresponding cases, see Review identity and access finding cases.

Next steps

On the Summary tab of the details page of a finding, the Next steps section provides step-by-step guidance on how to immediately remediate the issue detected. These recommendations are tailored to the specific finding you are viewing.

What's next