Vulnerability findings

Security Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in Security Command Center. When they are enabled in Security Command Center, integrated services, like VM Manager, also generate vulnerability findings.

Your ability to view and edit findings is determined by the Identity and Access Management (IAM) roles and permissions you are assigned. For more information about IAM roles in Security Command Center, see Access control.

Detectors and compliance

Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

For more information about managing compliance, see Assess and report compliance with security standards.

Supported security standards

Google Cloud

Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:

AWS

Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

For instructions on viewing and exporting compliance reports, see the Compliance section in Using Security Command Center in the Google Cloud console.

Finding deactivation after remediation

After you remediate a vulnerability or misconfiguration finding, the Security Command Center service that detected the finding automatically sets the state of the finding to INACTIVE the next time the detection service scans for the finding. How long Security Command Center takes to set a remediated finding to INACTIVE depends on the schedule of the scan that detects the finding.

The Security Command Center services also set the state of a vulnerability or misconfiguration finding to INACTIVE when a scan detects that the resource that is affected by the finding is deleted.

For more information about scan intervals, see the following topics:

Security Health Analytics findings

Security Health Analytics detectors monitor a subset of resources from Cloud Asset Inventory (CAI), receiving notifications of resource and Identity and Access Management (IAM) policy changes. Some detectors retrieve data by directly calling Google Cloud APIs, as indicated in tables later on this page.

For more information about Security Health Analytics, scan schedules, and the Security Health Analytics support for both built-in and custom module detectors, see Overview of Security Health Analytics.

The following tables describe Security Health Analytics detectors, the assets and compliance standards they support, the settings they use for scans, and the finding types they generate. You can filter findings by various attributes by using the Security Command Center Vulnerabilities page in the Google Cloud console.

For instructions on fixing issues and protecting your resources, see Remediating Security Health Analytics findings.

API key vulnerability findings

The API_KEY_SCANNER detector identifies vulnerabilities related to API keys used in your cloud deployment.

Detector Summary Asset scan settings
API key APIs unrestricted

Category name in the API: API_KEY_APIS_UNRESTRICTED

Finding description: There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.12
  • CIS GCP Foundation 1.1: 1.14
  • CIS GCP Foundation 1.2: 1.14
  • CIS GCP Foundation 1.3: 1.14
  • CIS GCP Foundation 2.0: 1.14
  • CIS GCP Foundation 3.0: 1.14
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves the restrictions property of all API keys in a project, checking if any is set to cloudapis.googleapis.com.

  • Real-time scans: No
API key apps unrestricted

Category name in the API: API_KEY_APPS_UNRESTRICTED

Finding description: There are API keys being used in an unrestricted way, allowing use by any untrusted app.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.11
  • CIS GCP Foundation 1.1: 1.13
  • CIS GCP Foundation 1.2: 1.13
  • CIS GCP Foundation 1.3: 1.13
  • CIS GCP Foundation 2.0: 1.13
  • CIS GCP Foundation 3.0: 1.13

Retrieves the restrictions property of all API keys in a project, checking whether browserKeyRestrictions, serverKeyRestrictions, androidKeyRestrictions, or iosKeyRestrictions is set.

  • Real-time scans: No
API key exists

Category name in the API: API_KEY_EXISTS

Finding description: A project is using API keys instead of standard authentication.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.10
  • CIS GCP Foundation 1.1: 1.12
  • CIS GCP Foundation 1.2: 1.12
  • CIS GCP Foundation 1.3: 1.12
  • CIS GCP Foundation 2.0: 1.12
  • CIS GCP Foundation 3.0: 1.12
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves all API keys owned by a project.

  • Real-time scans: No
API key not rotated

Category name in the API: API_KEY_NOT_ROTATED

Finding description: The API key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.13
  • CIS GCP Foundation 1.1: 1.15
  • CIS GCP Foundation 1.2: 1.15
  • CIS GCP Foundation 1.3: 1.15
  • CIS GCP Foundation 2.0: 1.15
  • CIS GCP Foundation 3.0: 1.15
  • NIST 800-53 R5: PL-8, SA-8
  • PCI-DSS v4.0: 2.2.2, 6.2.1
  • ISO-27001 v2022: A.8.27
  • Cloud Controls Matrix 4: DSP-07
  • NIST Cybersecurity Framework 1.0: PR-IP-2
  • CIS Controls 8.0: 16.10

Retrieves the timestamp contained in the createTime property of all API keys, checking whether 90 days have passed.

  • Real-time scans: No

Cloud Asset Inventory vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Asset Inventory configurations and belong to the CLOUD_ASSET_SCANNER type.

Detector Summary Asset scan settings
Cloud Asset API disabled

Category name in the API: CLOUD_ASSET_API_DISABLED

Finding description: The capturing of Google Cloud resources and IAM policies by Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing. We recommend that Cloud Asset Inventory service be enabled for all projects. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
pubsub.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 2.13
  • CIS GCP Foundation 2.0: 2.13
  • CIS GCP Foundation 3.0: 2.13
  • NIST 800-53 R5: CM-8, PM-5
  • PCI-DSS v4.0: 11.2.1, 11.2.2, 12.5.1, 9.5.1, 9.5.1.1
  • ISO-27001 v2022: A.5.9, A.8.8
  • Cloud Controls Matrix 4: UEM-04
  • NIST Cybersecurity Framework 1.0: ID-AM-1, PR-DS-3
  • SOC2 v2017: CC3.2.6, CC6.1.1
  • HIPAA: 164.310(d)(2)(iii)
  • CIS Controls 8.0: 1.1, 6.6

Checks if the Cloud Asset Inventory service is enabled.

  • Real-time scans: Yes

Compute image vulnerability findings

The COMPUTE_IMAGE_SCANNER detector identifies vulnerabilities related to Google Cloud image configurations.

Detector Summary Asset scan settings
Public Compute image

Category name in the API: PUBLIC_COMPUTE_IMAGE

Finding description: A Compute Engine image is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Image

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes

Compute instance vulnerability findings

The COMPUTE_INSTANCE_SCANNER detector identifies vulnerabilities related to Compute Engine instance configurations.

COMPUTE_INSTANCE_SCANNER detectors don't report findings on Compute Engine instances created by GKE. Such instances have names that start with "gke-", which users cannot edit. To secure these instances, refer to the Container vulnerability findings section.

Detector Summary Asset scan settings
Confidential Computing disabled

Category name in the API: CONFIDENTIAL_COMPUTING_DISABLED

Finding description: Confidential Computing is disabled on a Compute Engine instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 4.11
  • CIS GCP Foundation 1.3: 4.11
  • CIS GCP Foundation 2.0: 4.11
  • CIS GCP Foundation 3.0: 4.11
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks the confidentialInstanceConfig property of instance metadata for the key-value pair "enableConfidentialCompute":true.

  • Assets excluded from scans:
    • GKE instances
    • Serverless VPC Access
    • Instances related to Dataflow jobs
    • Compute Engine instances that are not of type N2D
  • Real-time scans: Yes
Compute project wide SSH keys allowed

Category name in the API: COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED

Finding description: Project-wide SSH keys are used, allowing login to all instances in the project.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.2
  • CIS GCP Foundation 1.1: 4.3
  • CIS GCP Foundation 1.2: 4.3
  • CIS GCP Foundation 1.3: 4.3
  • CIS GCP Foundation 2.0: 4.3
  • CIS GCP Foundation 3.0: 4.3
  • NIST 800-53 R5: AC-17, IA-5, SC-8
  • PCI-DSS v4.0: 2.2.7, 4.1.1, 4.2.1, 4.2.1.2, 4.2.2, 8.3.2
  • ISO-27001 v2022: A.5.14
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-2
  • SOC2 v2017: CC6.1.11, CC6.1.3, CC6.1.8, CC6.7.2
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.10, 5.2

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "block-project-ssh-keys", "value": TRUE.

  • Assets excluded from scans: GKE instances, Dataflow job, Windows instance
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: No
Compute Secure Boot disabled

Category name in the API: COMPUTE_SECURE_BOOT_DISABLED

Finding description: This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the shieldedInstanceConfig property on Compute Engine instances to determine if enableSecureBoot is set to true. This detector checks whether attached disks are compatible with Secure Boot and Secure Boot is enabled.

  • Assets excluded from scans: GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS, Serverless VPC Access
  • Real-time scans: Yes
Compute serial ports enabled

Category name in the API: COMPUTE_SERIAL_PORTS_ENABLED

Finding description: Serial ports are enabled for an instance, allowing connections to the instance's serial console.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.4
  • CIS GCP Foundation 1.1: 4.5
  • CIS GCP Foundation 1.2: 4.5
  • CIS GCP Foundation 1.3: 4.5
  • CIS GCP Foundation 2.0: 4.5
  • CIS GCP Foundation 3.0: 4.5
  • NIST 800-53 R5: CM-6, CM-7
  • PCI-DSS v4.0: 1.2.5, 2.2.4, 6.4.1
  • ISO-27001 v2022: A.8.9
  • SOC2 v2017: CC6.6.1, CC6.6.3, CC6.6.4
  • CIS Controls 8.0: 4.8

Checks the metadata.items[] object in instance metadata for the key-value pair "key": "serial-port-enable", "value": TRUE.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: Yes
Default service account used

Category name in the API: DEFAULT_SERVICE_ACCOUNT_USED

Finding description: An instance is configured to use the default service account.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.1
  • CIS GCP Foundation 1.2: 4.1
  • CIS GCP Foundation 1.3: 4.1
  • CIS GCP Foundation 2.0: 4.1
  • CIS GCP Foundation 3.0: 4.1
  • NIST 800-53 R5: IA-5
  • PCI-DSS v4.0: 2.2.2, 2.3.1
  • ISO-27001 v2022: A.8.2, A.8.9
  • NIST Cybersecurity Framework 1.0: PR-AC-1
  • SOC2 v2017: CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 4.7

Checks the serviceAccounts property in instance metadata for any service account email addresses with the prefix PROJECT_NUMBER-compute@developer.gserviceaccount.com, indicating the Google-created default service account.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Real-time scans: Yes
Disk CMEK disabled

Category name in the API: DISK_CMEK_DISABLED

Finding description: Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Disk

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the kmsKeyName field in the diskEncryptionKey object, in disk metadata, for the resource name of your CMEK.

  • Assets excluded from scans: Disks related to Cloud Composer environments, Dataflow jobs, and GKE instances
  • Real-time scans: Yes
Disk CSEK disabled

Category name in the API: DISK_CSEK_DISABLED

Finding description: Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Disk

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.6
  • CIS GCP Foundation 1.1: 4.7
  • CIS GCP Foundation 1.2: 4.7
  • CIS GCP Foundation 1.3: 4.7
  • CIS GCP Foundation 2.0: 4.7
  • CIS GCP Foundation 3.0: 4.7
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks the kmsKeyName field in the diskEncryptionKey object for the resource name of your CSEK.

  • Assets excluded from scans:
    Compute Engine disks without the enforce_customer_supplied_disk_encryption_keys security mark set to true
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine
  • Real-time scans: Yes
Full API access

Category name in the API: FULL_API_ACCESS

Finding description: An instance is configured to use the default service account with full access to all Google Cloud APIs.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.1
  • CIS GCP Foundation 1.1: 4.2
  • CIS GCP Foundation 1.2: 4.2
  • CIS GCP Foundation 1.3: 4.2
  • CIS GCP Foundation 2.0: 4.2
  • CIS GCP Foundation 3.0: 4.2
  • NIST 800-53 R4: AC-6
  • NIST 800-53 R5: IA-5
  • PCI-DSS v3.2.1: 7.1.2
  • PCI-DSS v4.0: 2.2.2, 2.3.1
  • ISO-27001 v2013: A.9.2.3
  • ISO-27001 v2022: A.8.2, A.8.9
  • NIST Cybersecurity Framework 1.0: PR-AC-1
  • SOC2 v2017: CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 4.7

Retrieves the scopes field in the serviceAccounts property to check whether a default service account is used and if it is assigned the cloud-platform scope.

  • Assets excluded from scans: GKE instances, Dataflow jobs
  • Real-time scans: Yes
HTTP load balancer

Category name in the API: HTTP_LOAD_BALANCER

Finding description: An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/TargetHttpProxy

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 2.3

Determines if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.

  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads forwarding rules for a target HTTP proxy from Compute Engine, checking for external rules
  • Real-time scans: Yes
Instance OS Login disabled

Category name in the API: INSTANCE_OS_LOGIN_DISABLED

Finding description: OS Login is disabled on this instance.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.3
  • CIS GCP Foundation 1.1: 4.4
  • CIS GCP Foundation 1.2: 4.4
  • CIS GCP Foundation 1.3: 4.4
  • CIS GCP Foundation 2.0: 4.4
  • NIST 800-53 R5: AC-2
  • ISO-27001 v2022: A.5.15
  • SOC2 v2017: CC6.1.4, CC6.1.6, CC6.1.8, CC6.1.9
  • CIS Controls 8.0: 5.6, 6.7

Checks whether the enable-oslogin property from the Custom metadata of the instance is set to TRUE.

  • Assets excluded from scans: GKE instances, instances related to Dataflow jobs, Serverless VPC Access
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine.
  • Real-time scans: No
IP forwarding enabled

Category name in the API: IP_FORWARDING_ENABLED

Finding description: IP forwarding is enabled on instances.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.5
  • CIS GCP Foundation 1.1: 4.6
  • CIS GCP Foundation 1.2: 4.6
  • CIS GCP Foundation 1.3: 4.6
  • CIS GCP Foundation 2.0: 4.6
  • CIS GCP Foundation 3.0: 4.6
  • NIST 800-53 R5: CA-9, SC-7
  • PCI-DSS v4.0: 1.2.1, 1.4.1
  • SOC2 v2017: CC6.6.1, CC6.6.4
  • CIS Controls 8.0: 4.4, 4.5

Checks whether the canIpForward property of the instance is set to true.

  • Assets excluded from scans: GKE instances, Serverless VPC Access
  • Real-time scans: Yes
OS login disabled

Category name in the API: OS_LOGIN_DISABLED

Finding description: OS Login is disabled on this instance.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 4.3
  • CIS GCP Foundation 1.1: 4.4
  • CIS GCP Foundation 1.2: 4.4
  • CIS GCP Foundation 1.3: 4.4
  • CIS GCP Foundation 2.0: 4.4
  • NIST 800-53 R5: AC-2
  • ISO-27001 v2022: A.5.15
  • SOC2 v2017: CC6.1.4, CC6.1.6, CC6.1.8, CC6.1.9
  • CIS Controls 8.0: 5.6, 6.7

Checks the commonInstanceMetadata.items[] object in project metadata for the key-value pair, "key": "enable-oslogin", "value": TRUE. The detector also checks all instances in a Compute Engine project to determine whether OS Login is disabled for individual instances.

  • Assets excluded from scans: GKE instances, instances related to Dataflow jobs
  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads metadata from Compute Engine. The detector also examines Compute Engine instances in the project
  • Real-time scans: No
Public IP address

Category name in the API: PUBLIC_IP_ADDRESS

Finding description: An instance has a public IP address.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.9
  • CIS GCP Foundation 1.2: 4.9
  • CIS GCP Foundation 1.3: 4.9
  • CIS GCP Foundation 2.0: 4.9
  • CIS GCP Foundation 3.0: 4.9
  • NIST 800-53 R4: CA-3, SC-7
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the networkInterfaces property contains an accessConfigs field, indicating it is configured to use a public IP address.

  • Assets excluded from scans: GKE instances, instances related to Dataflow jobs
  • Real-time scans: Yes
Shielded VM disabled

Category name in the API: SHIELDED_VM_DISABLED

Finding description: Shielded VM is disabled on this instance.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 4.8
  • CIS GCP Foundation 1.2: 4.8
  • CIS GCP Foundation 1.3: 4.8
  • CIS GCP Foundation 2.0: 4.8
  • CIS GCP Foundation 3.0: 4.8

Checks the shieldedInstanceConfig property in Compute Engine instances to determine if the enableIntegrityMonitoring and enableVtpm fields are set to true. The fields indicate whether Shielded VM is turned on.

  • Assets excluded from scans: GKE instances and Serverless VPC Access
  • Real-time scans: Yes
Weak SSL policy

Category name in the API: WEAK_SSL_POLICY

Finding description: An instance has a weak SSL policy.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetSslProxy

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 3.9
  • CIS GCP Foundation 1.2: 3.9
  • CIS GCP Foundation 1.3: 3.9
  • CIS GCP Foundation 2.0: 3.9
  • CIS GCP Foundation 3.0: 3.9
  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 4.1
  • ISO-27001 v2013: A.14.1.3

Checks whether sslPolicy in asset metadata is empty or is using the Google Cloud default policy and, for the attached sslPolicies resource, whether profile is set to Restricted or Modern, minTlsVersion is set to TLS 1.2, and customFeatures is empty or does not contain the following ciphers: TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA.

  • Additional IAM permissions: roles/compute.Viewer
  • Additional inputs: Reads SSL policies for target proxies storage, checking for weak policies
  • Real-time scans: Yes, but only when the TargetHttpsProxy of the TargetSslProxy is updated, not when the SSL policy gets updated

Container vulnerability findings

These finding types all relate to GKE container configurations, and belong to the CONTAINER_SCANNER detector type.

Detector Summary Asset scan settings
Alpha cluster enabled

Category name in the API: ALPHA_CLUSTER_ENABLED

Finding description: Alpha cluster features are enabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.10.2

Checks whether the enableKubernetesAlpha property of a cluster is set to true.

  • Real-time scans: Yes
Auto repair disabled

Category name in the API: AUTO_REPAIR_DISABLED

Finding description: A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.7
  • CIS GKE 1.0: 6.5.2
  • PCI-DSS v3.2.1: 2.2

Checks the management property of a node pool for the key-value pair, "key": "autoRepair", "value": true.

  • Real-time scans: Yes
Auto upgrade disabled

Category name in the API: AUTO_UPGRADE_DISABLED

Finding description: A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.8
  • CIS GKE 1.0: 6.5.3
  • PCI-DSS v3.2.1: 2.2

Checks the management property of a node pool for the key-value pair, "key": "autoUpgrade", "value": true.

  • Real-time scans: Yes
Binary authorization disabled

Category name in the API: BINARY_AUTHORIZATION_DISABLED

Finding description: Binary Authorization is either disabled on the GKE cluster or the Binary Authorization policy is configured to allow all images to be deployed.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the following:

  • Checks whether the binaryAuthorization property has one of the following key-value pairs:
    • "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
    • "evaluationMode": "POLICY_BINDINGS"
    • "evaluationMode": "POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE"
  • Checks whether the defaultAdmissionRule policy property does not contain the key-value pair evaluationMode: ALWAYS_ALLOW.

  • Real-time scans: Yes
Cluster logging disabled

Category name in the API: CLUSTER_LOGGING_DISABLED

Finding description: Logging isn't enabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.1
  • CIS GKE 1.0: 6.7.1
  • PCI-DSS v3.2.1: 10.2.2, 10.2.7

Checks whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.

  • Real-time scans: Yes
Cluster monitoring disabled

Category name in the API: CLUSTER_MONITORING_DISABLED

Finding description: Monitoring is disabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.2
  • CIS GKE 1.0: 6.7.1
  • PCI-DSS v3.2.1: 10.1, 10.2

Checks whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.

  • Real-time scans: Yes
Cluster private Google access disabled

Category name in the API: CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED

Finding description: Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.16
  • PCI-DSS v3.2.1: 1.3

Checks whether the privateIpGoogleAccess property of a subnetwork is set to false.

  • Additional inputs: Reads subnetworks from storage, filing findings only for clusters with subnetworks
  • Real-time scans: Yes, but only if cluster is updated, not for subnetwork updates
Cluster secrets encryption disabled

Category name in the API: CLUSTER_SECRETS_ENCRYPTION_DISABLED

Finding description: Application-layer secrets encryption is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.3.1

Checks the keyName property of the databaseEncryption object for the key-value pair "state": ENCRYPTED.

  • Real-time scans: Yes
Cluster shielded nodes disabled

Category name in the API: CLUSTER_SHIELDED_NODES_DISABLED

Finding description: Shielded GKE nodes are not enabled for a cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.5

Checks the shieldedNodes property for the key-value pair "enabled": true.

  • Real-time scans: Yes
COS not used

Category name in the API: COS_NOT_USED

Finding description: Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.9
  • CIS GKE 1.0: 6.5.1
  • PCI-DSS v3.2.1: 2.2

Checks the config property of a node pool for the key-value pair, "imageType": "COS".

  • Real-time scans: Yes
Integrity monitoring disabled

Category name in the API: INTEGRITY_MONITORING_DISABLED

Finding description: Integrity monitoring is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.6

Checks the shieldedInstanceConfig property of the nodeConfig object for the key-value pair "enableIntegrityMonitoring": true.

  • Real-time scans: Yes
Intranode visibility disabled

Category name in the API: INTRANODE_VISIBILITY_DISABLED

Finding description: Intranode visibility is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.6.1

Checks the networkConfig property for the key-value pair "enableIntraNodeVisibility": true.

  • Real-time scans: Yes
IP alias disabled

Category name in the API: IP_ALIAS_DISABLED

Finding description: A GKE cluster was created with alias IP ranges disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.13
  • CIS GKE 1.0: 6.6.2
  • PCI-DSS v3.2.1: 1.3.4, 1.3.7

Checks whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.

  • Real-time scans: Yes
Legacy authorization enabled

Category name in the API: LEGACY_AUTHORIZATION_ENABLED

Finding description: Legacy Authorization is enabled on GKE clusters.

Pricing tier: Premium or Standard

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.3
  • CIS GKE 1.0: 6.8.3
  • PCI-DSS v3.2.1: 4.1

Checks the legacyAbac property of a cluster for the key-value pair, "enabled": true.

  • Real-time scans: Yes
Legacy metadata enabled

Category name in the API: LEGACY_METADATA_ENABLED

Finding description: Legacy metadata is enabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.4.1

Checks the config property of a node pool for the key-value pair, "disable-legacy-endpoints": "false".

  • Real-time scans: Yes
Master authorized networks disabled

Category name in the API: MASTER_AUTHORIZED_NETWORKS_DISABLED

Finding description: Control Plane Authorized Networks is not enabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.4
  • CIS GKE 1.0: 6.6.3
  • PCI-DSS v3.2.1: 1.2.1, 1.3.2

Checks the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, "enabled": false.

  • Real-time scans: Yes
Network policy disabled

Category name in the API: NETWORK_POLICY_DISABLED

Finding description: Network policy is disabled on GKE clusters.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.11
  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.3
  • ISO-27001 v2013: A.13.1.1

Checks the networkPolicy field of the addonsConfig property for the key-value pair, "disabled": true.

  • Real-time scans: Yes
Nodepool boot CMEK disabled

Category name in the API: NODEPOOL_BOOT_CMEK_DISABLED

Finding description: Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the bootDiskKmsKey property of node pools for the resource name of your CMEK.

  • Real-time scans: Yes
Nodepool secure boot disabled

Category name in the API: NODEPOOL_SECURE_BOOT_DISABLED

Finding description: Secure Boot is disabled for a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.7

Checks the shieldedInstanceConfig property of the nodeConfig object for the key-value pair "enableSecureBoot": true.

  • Real-time scans: Yes
Over privileged account

Category name in the API: OVER_PRIVILEGED_ACCOUNT

Finding description: A service account has overly broad project access in a cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.17
  • NIST 800-53 R4: AC-6, SC-7
  • CIS GKE 1.0: 6.2.1
  • PCI-DSS v3.2.1: 2.1, 7.1.2
  • ISO-27001 v2013: A.9.2.3

Evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.

  • Real-time scans: Yes
Over privileged scopes

Category name in the API: OVER_PRIVILEGED_SCOPES

Finding description: A node service account has broad access scopes.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.18
  • CIS GKE 1.0: 6.2.1
Checks whether the access scope listed in the config.oauthScopes property of a node pool is a limited service account access scope: https://www.googleapis.com/auth/devstorage.read_only, https://www.googleapis.com/auth/logging.write, or https://www.googleapis.com/auth/monitoring.
  • Real-time scans: Yes
Pod security policy disabled

Category name in the API: POD_SECURITY_POLICY_DISABLED

Finding description: PodSecurityPolicy is disabled on a GKE cluster.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.14
  • CIS GKE 1.0: 6.10.3

Checks the podSecurityPolicyConfig property of a cluster for the key-value pair, "enabled": false.

  • Additional IAM permissions: roles/container.clusterViewer
  • Additional inputs: Reads cluster information from GKE, because pod security policies are a Beta feature. Kubernetes has officially deprecated PodSecurityPolicy in version 1.21. PodSecurityPolicy will be shut down in version 1.25. For information about alternatives, refer to PodSecurityPolicy deprecation.
  • Real-time scans: No
Private cluster disabled

Category name in the API: PRIVATE_CLUSTER_DISABLED

Finding description: A GKE cluster has a Private cluster disabled.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.15
  • CIS GKE 1.0: 6.6.5
  • PCI-DSS v3.2.1: 1.3.2

Checks whether the enablePrivateNodes field of the privateClusterConfig property is set to false.

  • Real-time scans: Yes
Release channel disabled

Category name in the API: RELEASE_CHANNEL_DISABLED

Finding description: A GKE cluster is not subscribed to a release channel.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.5.4

Checks the releaseChannel property for the key-value pair "channel": UNSPECIFIED.

  • Real-time scans: Yes
Web UI enabled

Category name in the API: WEB_UI_ENABLED

Finding description: The GKE web UI (dashboard) is enabled.

Pricing tier: Premium or Standard

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 7.6
  • CIS GKE 1.0: 6.10.1
  • PCI-DSS v3.2.1: 6.6

Checks the kubernetesDashboard field of the addonsConfig property for the key-value pair, "disabled": false.

  • Real-time scans: Yes
Workload Identity disabled

Category name in the API: WORKLOAD_IDENTITY_DISABLED

Finding description: Workload Identity is disabled on a GKE cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GKE 1.0: 6.2.2

Checks whether the workloadIdentityConfig property of a cluster is set. The detector also checks whether the workloadMetadataConfig property of a node pool is set to GKE_METADATA.

  • Additional IAM permissions: roles/container.clusterViewer
  • Real-time scans: Yes

Dataproc vulnerability findings

Vulnerabilities of this detector type all relate to Dataproc and belong to the DATAPROC_SCANNER detector type.

Detector Summary Asset scan settings
Dataproc CMEK disabled

Category name in the API: DATAPROC_CMEK_DISABLED

Finding description: A Dataproc cluster was created without an encryption configuration CMEK. With CMEK, keys that you create and manage in Cloud Key Management Service wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
dataproc.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 1.17
  • CIS GCP Foundation 2.0: 1.17
  • CIS GCP Foundation 3.0: 8.1
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks whether the kmsKeyName field in the encryptionConfiguration property is empty.

  • Real-time scans: Yes
Dataproc image outdated

Category name in the API: DATAPROC_IMAGE_OUTDATED

Finding description: A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046).

Pricing tier: Premium or Standard

Supported assets
dataproc.googleapis.com/Cluster

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks whether the softwareConfig.imageVersion field in the config property of a Cluster is earlier than 1.3.95 or is a subminor image version earlier than 1.4.77, 1.5.53, or 2.0.27.

  • Real-time scans: Yes

Dataset vulnerability findings

Vulnerabilities of this detector type all relate to BigQuery Dataset configurations, and belong to the DATASET_SCANNER detector type.

Detector Summary Asset scan settings
BigQuery table CMEK disabled

Category name in the API: BIGQUERY_TABLE_CMEK_DISABLED

Finding description: A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
bigquery.googleapis.com/Table

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 7.2
  • CIS GCP Foundation 1.3: 7.2
  • CIS GCP Foundation 2.0: 7.2
  • CIS GCP Foundation 3.0: 7.2
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks whether the kmsKeyName field in the encryptionConfiguration property is empty.

  • Real-time scans: Yes
Dataset CMEK disabled

Category name in the API: DATASET_CMEK_DISABLED

Finding description: A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
bigquery.googleapis.com/Dataset

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 7.3
  • CIS GCP Foundation 1.3: 7.3
  • CIS GCP Foundation 2.0: 7.3
  • CIS GCP Foundation 3.0: 7.3
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks whether the kmsKeyName field in the defaultEncryptionConfiguration property is empty.

  • Real-time scans: No
Public dataset

Category name in the API: PUBLIC_DATASET

Finding description: A dataset is configured to be open to public access.

Pricing tier: Premium or Standard

Supported assets
bigquery.googleapis.com/Dataset

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 7.1
  • CIS GCP Foundation 1.2: 7.1
  • CIS GCP Foundation 1.3: 7.1
  • CIS GCP Foundation 2.0: 7.1
  • CIS GCP Foundation 3.0: 7.1
  • NIST 800-53 R4: AC-2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.14.1.3, A.8.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes

DNS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud DNS configurations, and belong to the DNS_SCANNER detector type.

Detector Summary Asset scan settings
DNSSEC disabled

Category name in the API: DNSSEC_DISABLED

Finding description: DNSSEC is disabled for Cloud DNS zones.

Pricing tier: Premium

Supported assets
dns.googleapis.com/ManagedZone

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.3
  • CIS GCP Foundation 1.1: 3.3
  • CIS GCP Foundation 1.2: 3.3
  • CIS GCP Foundation 1.3: 3.3
  • CIS GCP Foundation 2.0: 3.3
  • CIS GCP Foundation 3.0: 3.3
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2013: A.8.2.3
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks whether the state field of the dnssecConfig property is set to off.

  • Assets excluded from scans: Cloud DNS zones that are not public
  • Real-time scans: Yes
RSASHA1 for signing

Category name in the API: RSASHA1_FOR_SIGNING

Finding description: RSASHA1 is used for key signing in Cloud DNS zones.

Pricing tier: Premium

Supported assets
dns.googleapis.com/ManagedZone

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.4, 3.5
  • CIS GCP Foundation 1.1: 3.4, 3.5
  • CIS GCP Foundation 1.2: 3.4, 3.5
  • CIS GCP Foundation 1.3: 3.4, 3.5
  • CIS GCP Foundation 2.0: 3.4, 3.5
  • CIS GCP Foundation 3.0: 3.4, 3.5
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks whether the defaultKeySpecs.algorithm object of the dnssecConfig property is set to rsasha1.

  • Real-time scans: Yes

Firewall vulnerability findings

Vulnerabilities of this detector type all relate to firewall configurations, and belong to the FIREWALL_SCANNER detector type.

Detector Summary Asset scan settings
Egress deny rule not set

Category name in the API: EGRESS_DENY_RULE_NOT_SET

Finding description: An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 7.2

Checks whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, "IPProtocol": "all".

  • Additional inputs: Reads egress firewalls for a project from storage
  • Real-time scans: Yes, but only on project changes, not firewall rule changes
Firewall rule logging disabled

Category name in the API: FIREWALL_RULE_LOGGING_DISABLED

Finding description: Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SI-4
  • PCI-DSS v3.2.1: 10.1, 10.2
  • ISO-27001 v2013: A.13.1.1

Checks the logConfig property in firewall metadata to see if it's empty or contains the key-value pair "enable": false.

Open Cassandra port

Category name in the API: OPEN_CASSANDRA_PORT

Finding description: A firewall is configured to have an open Cassandra port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.

  • Real-time scans: Yes
Open ciscosecure websm port

Category name in the API: OPEN_CISCOSECURE_WEBSM_PORT

Finding description: A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:9090.

  • Real-time scans: Yes
Open directory services port

Category name in the API: OPEN_DIRECTORY_SERVICES_PORT

Finding description: A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.

  • Real-time scans: Yes
Open DNS port

Category name in the API: OPEN_DNS_PORT

Finding description: A firewall is configured to have an open DNS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.

  • Real-time scans: Yes
Open elasticsearch port

Category name in the API: OPEN_ELASTICSEARCH_PORT

Finding description: A firewall is configured to have an open ELASTICSEARCH port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.

  • Real-time scans: Yes
Open firewall

Category name in the API: OPEN_FIREWALL

Finding description: A firewall is configured to be open to public access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 1.2.1

Checks the sourceRanges and allowed properties for one of two configurations:

  • The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
    • icmp
    • tcp:22
    • tcp:443
    • tcp:3389
    • udp:3389
    • sctp:22
  • The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.
Open FTP port

Category name in the API: OPEN_FTP_PORT

Finding description: A firewall is configured to have an open FTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:21.

  • Real-time scans: Yes
Open HTTP port

Category name in the API: OPEN_HTTP_PORT

Finding description: A firewall is configured to have an open HTTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:80.

  • Real-time scans: Yes
Open LDAP port

Category name in the API: OPEN_LDAP_PORT

Finding description: A firewall is configured to have an open LDAP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.

  • Real-time scans: Yes
Open Memcached port

Category name in the API: OPEN_MEMCACHED_PORT

Finding description: A firewall is configured to have an open MEMCACHED port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.

  • Real-time scans: Yes
Open MongoDB port

Category name in the API: OPEN_MONGODB_PORT

Finding description: A firewall is configured to have an open MONGODB port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.

  • Real-time scans: Yes
Open MySQL port

Category name in the API: OPEN_MYSQL_PORT

Finding description: A firewall is configured to have an open MYSQL port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:3306.

  • Real-time scans: Yes
Open NetBIOS port

Category name in the API: OPEN_NETBIOS_PORT

Finding description: A firewall is configured to have an open NETBIOS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.

  • Real-time scans: Yes
Open OracleDB port

Category name in the API: OPEN_ORACLEDB_PORT

Finding description: A firewall is configured to have an open ORACLEDB port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.

  • Real-time scans: Yes
Open pop3 port

Category name in the API: OPEN_POP3_PORT

Finding description: A firewall is configured to have an open POP3 port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocol and port: TCP:110.

  • Real-time scans: Yes
Open PostgreSQL port

Category name in the API: OPEN_POSTGRESQL_PORT

Finding description: A firewall is configured to have an open PostgreSQL port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.

  • Real-time scans: Yes
Open RDP port

Category name in the API: OPEN_RDP_PORT

Finding description: A firewall is configured to have an open RDP port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.7
  • CIS GCP Foundation 1.1: 3.7
  • CIS GCP Foundation 1.2: 3.7
  • CIS GCP Foundation 1.3: 3.7
  • CIS GCP Foundation 2.0: 3.7
  • CIS GCP Foundation 3.0: 3.7
  • NIST 800-53 R4: SC-7
  • NIST 800-53 R5: CA-9, SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.2.1, 1.4.1
  • ISO-27001 v2013: A.13.1.1
  • SOC2 v2017: CC6.6.1, CC6.6.4
  • CIS Controls 8.0: 4.4, 4.5

Checks the allowed property in firewall metadata for the following protocols and ports: TCP:3389 and UDP:3389.

  • Real-time scans: Yes
Open Redis port

Category name in the API: OPEN_REDIS_PORT

Finding description: A firewall is configured to have an open REDIS port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.

  • Real-time scans: Yes
Open SMTP port

Category name in the API: OPEN_SMTP_PORT

Finding description: A firewall is configured to have an open SMTP port that allows generic access.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.

  • Real-time scans: Yes
Open SSH port

Category name in the API: OPEN_SSH_PORT

Finding description: A firewall is configured to have an open SSH port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.6
  • CIS GCP Foundation 1.1: 3.6
  • CIS GCP Foundation 1.2: 3.6
  • CIS GCP Foundation 1.3: 3.6
  • CIS GCP Foundation 2.0: 3.6
  • CIS GCP Foundation 3.0: 3.6
  • NIST 800-53 R4: SC-7
  • NIST 800-53 R5: CA-9, SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.2.1, 1.4.1
  • ISO-27001 v2013: A.13.1.1
  • SOC2 v2017: CC6.6.1, CC6.6.4
  • CIS Controls 8.0: 4.4, 4.5

Checks whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.

  • Real-time scans: Yes
Open Telnet port

Category name in the API: OPEN_TELNET_PORT

Finding description: A firewall is configured to have an open TELNET port that allows generic access.

Pricing tier: Premium or Standard

Supported assets
compute.googleapis.com/Firewall

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 1.2.1
  • ISO-27001 v2013: A.13.1.1

Checks whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.

  • Real-time scans: Yes

IAM vulnerability findings

Vulnerabilities of this detector type all relate to Identity and Access Management (IAM) configuration, and belong to the IAM_SCANNER detector type.

Detector Summary Asset scan settings
Access Transparency disabled

Category name in the API: ACCESS_TRANSPARENCY_DISABLED

Finding description: Google Cloud Access Transparency is disabled for your organization. Access Transparency logs when Google Cloud employees access the projects in your organization to provide support. Enable Access Transparency to log who from Google Cloud is accessing your information, when, and why.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 2.14
  • CIS GCP Foundation 2.0: 2.14
  • CIS GCP Foundation 3.0: 2.14

Checks if your organization has Access Transparency enabled.

  • Real-time scans: No
Admin service account

Category name in the API: ADMIN_SERVICE_ACCOUNT

Finding description: A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.4
  • CIS GCP Foundation 1.1: 1.5
  • CIS GCP Foundation 1.2: 1.5
  • CIS GCP Foundation 1.3: 1.5
  • CIS GCP Foundation 2.0: 1.5
  • CIS GCP Foundation 3.0: 1.5
  • NIST 800-53 R5: AC-6
  • ISO-27001 v2022: A.5.15, A.8.2
  • Cloud Controls Matrix 4: IAM-09
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC6.1.3, CC6.1.4, CC6.1.7, CC6.1.8, CC6.3.1, CC6.3.2, CC6.3.3
  • CIS Controls 8.0: 5.4

Checks the IAM allow policy in resource metadata for any user-created service accounts (indicated by the prefix iam.gserviceaccount.com), that are assigned roles/Owner or roles/Editor, or a role ID that contains admin.

  • Assets excluded from scans: Container Registry service account (containerregistry.iam.gserviceaccount.com) and Security Command Center service account (security-center-api.iam.gserviceaccount.com)
  • Real-time scans: Yes, unless the IAM update is done on a folder
Essential Contacts Not Configured

Category name in the API: ESSENTIAL_CONTACTS_NOT_CONFIGURED

Finding description: Your organization has not designated a person or group to receive notifications from Google Cloud about important events such as attacks, vulnerabilities, and data incidents within your Google Cloud organization. We recommend that you designate as an Essential Contact one or more persons or groups in your business organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 1.16
  • CIS GCP Foundation 2.0: 1.16
  • CIS GCP Foundation 3.0: 1.16
  • NIST 800-53 R5: IR-6
  • ISO-27001 v2022: A.5.20, A.5.24, A.5.5, A.5.6
  • Cloud Controls Matrix 4: SEF-08
  • NIST Cybersecurity Framework 1.0: RS-CO-1
  • SOC2 v2017: CC2.3.1
  • CIS Controls 8.0: 17.2

Checks that a contact is specified for the following essential contact categories:

  • Legal
  • Security
  • Suspension
  • Technical

  • Real-time scans: No
KMS role separation

Category name in the API: KMS_ROLE_SEPARATION

Finding description: Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.9
  • CIS GCP Foundation 1.1: 1.11
  • CIS GCP Foundation 2.0: 1.11
  • NIST 800-53 R4: AC-5
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.10.1.2, A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3
Checks IAM allow policies in resource metadata and retrieves principals assigned any of the following roles at the same time: roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, and roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, roles/cloudkms.signerVerifier, roles/cloudkms.publicKeyViewer.
  • Real-time scans: Yes
Non org IAM member

Category name in the API: NON_ORG_IAM_MEMBER

Finding description: There is a user who isn't using organizational credentials. Per CIS GCP Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.1
  • CIS GCP Foundation 1.1: 1.1
  • CIS GCP Foundation 1.2: 1.1
  • CIS GCP Foundation 1.3: 1.1
  • CIS GCP Foundation 2.0: 1.1
  • CIS GCP Foundation 3.0: 1.1
  • NIST 800-53 R4: AC-3
  • PCI-DSS v3.2.1: 7.1.2
  • ISO-27001 v2013: A.9.2.3

Compares @gmail.com email addresses in the user field in IAM allow policy metadata to a list of approved identities for your organization.

  • Real-time scans: Yes
Open group IAM member

Category name in the API: OPEN_GROUP_IAM_MEMBER

Finding description: A Google Groups account that can be joined without approval is used as an IAM allow policy principal.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the IAM policy in resource metadata for any bindings containing a member (principal) that's prefixed with group. If the group is an open group, Security Health Analytics generates this finding.
  • Additional inputs: Reads Google Groups metadata to check whether the group identified is an open group.
  • Real-time scans: No
Over privileged service account user

Category name in the API: OVER_PRIVILEGED_SERVICE_ACCOUNT_USER

Finding description: A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.5
  • CIS GCP Foundation 1.1: 1.6
  • CIS GCP Foundation 1.2: 1.6
  • CIS GCP Foundation 1.3: 1.6
  • CIS GCP Foundation 2.0: 1.6
  • CIS GCP Foundation 3.0: 1.6
  • NIST 800-53 R4: AC-6
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1.2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3
Checks the IAM allow policy in resource metadata for any principals assigned roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator at the project level.
  • Assets excluded from scans: Cloud Build service accounts
  • Real-time scans: Yes
Primitive roles used

Category name in the API: PRIMITIVE_ROLES_USED

Finding description: A user has one of the following basic roles:

  • Owner (roles/owner)
  • Editor (roles/editor)
  • Viewer (roles/viewer)

These roles are too permissive and shouldn't be used.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • NIST 800-53 R4: AC-6
  • PCI-DSS v3.2.1: 7.1.2
  • ISO-27001 v2013: A.9.2.3

Checks the IAM allow policy in resource metadata for any principals that are assigned a roles/owner, roles/editor, or roles/viewer role.

  • Real-time scans: Yes
Redis role used on org

Category name in the API: REDIS_ROLE_USED_ON_ORG

Finding description: A Redis IAM role is assigned at the organization or folder level.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 7.1.2
  • ISO-27001 v2013: A.9.2.3

Checks the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.

  • Real-time scans: Yes
Service account role separation

Category name in the API: SERVICE_ACCOUNT_ROLE_SEPARATION

Finding description: A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.7
  • CIS GCP Foundation 1.1: 1.8
  • CIS GCP Foundation 1.2: 1.8
  • CIS GCP Foundation 1.3: 1.8
  • CIS GCP Foundation 2.0: 1.8
  • CIS GCP Foundation 3.0: 1.8
  • NIST 800-53 R4: AC-5
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3
Checks the IAM allow policy in resource metadata for any principals assigned both roles/iam.serviceAccountUser and roles/iam.serviceAccountAdmin.
  • Real-time scans: Yes
Service account key not rotated

Category name in the API: SERVICE_ACCOUNT_KEY_NOT_ROTATED

Finding description: A service account key hasn't been rotated for more than 90 days.

Pricing tier: Premium

Supported assets
iam.googleapis.com/ServiceAccountKey

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.6
  • CIS GCP Foundation 1.1: 1.7
  • CIS GCP Foundation 1.2: 1.7
  • CIS GCP Foundation 1.3: 1.7
  • CIS GCP Foundation 2.0: 1.7
  • CIS GCP Foundation 3.0: 1.7

Evaluates the key creation timestamp captured in the validAfterTime property in service accounts key metadata.

  • Assets excluded from scans: Expired service account keys and keys not managed by users
  • Real-time scans: Yes
User managed service account key

Category name in the API: USER_MANAGED_SERVICE_ACCOUNT_KEY

Finding description: A user manages a service account key.

Pricing tier: Premium

Supported assets
iam.googleapis.com/ServiceAccountKey

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.3
  • CIS GCP Foundation 1.1: 1.4
  • CIS GCP Foundation 1.2: 1.4
  • CIS GCP Foundation 1.3: 1.4
  • CIS GCP Foundation 2.0: 1.4
  • CIS GCP Foundation 3.0: 1.4

Checks whether the keyType property in service account key metadata is set to User_Managed.

  • Real-time scans: Yes

KMS vulnerability findings

Vulnerabilities of this detector type all relate to Cloud KMS configurations, and belong to the KMS_SCANNER detector type.

Detector Summary Asset scan settings
KMS key not rotated

Category name in the API: KMS_KEY_NOT_ROTATED

Finding description: Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.8
  • CIS GCP Foundation 1.1: 1.10
  • CIS GCP Foundation 1.2: 1.10
  • CIS GCP Foundation 1.3: 1.10
  • CIS GCP Foundation 2.0: 1.10
  • NIST 800-53 R4: SC-12
  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v3.2.1: 3.5
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2013: A.10.1.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks resource metadata for the existence of rotationPeriod or nextRotationTime properties.

  • Assets excluded from scans: Asymmetric keys and keys with disabled or destroyed primary versions
  • Real-time scans: Yes
KMS project has owner

Category name in the API: KMS_PROJECT_HAS_OWNER

Finding description: A user has Owner permissions on a project that has cryptographic keys.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 1.11
  • CIS GCP Foundation 1.2: 1.11
  • CIS GCP Foundation 1.3: 1.11
  • CIS GCP Foundation 2.0: 1.11
  • NIST 800-53 R4: AC-6, SC-12
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 3.5
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.10.1.2, A.9.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy in project metadata for principals assigned roles/Owner.

  • Additional inputs: Reads cryptokeys for a project from storage, filing findings only for projects with cryptokeys
  • Real-time scans: Yes, but only on changes to IAM allow policy, not on changes to KMS keys
KMS public key

Category name in the API: KMS_PUBLIC_KEY

Finding description: A Cloud KMS cryptographic key is publicly accessible.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey
cloudkms.googleapis.com/KeyRing

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 1.9
  • CIS GCP Foundation 1.2: 1.9
  • CIS GCP Foundation 1.3: 1.9
  • CIS GCP Foundation 2.0: 1.9
  • CIS GCP Foundation 3.0: 1.9
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy in resource metadata for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Real-time scans: Yes
Too many KMS users

Category name in the API: TOO_MANY_KMS_USERS

Finding description: There are more than three users of cryptographic keys.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudkms.googleapis.com/CryptoKey

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 3.5.2
  • ISO-27001 v2013: A.9.2.3
Checks IAM allow policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.
  • Additional inputs: Reads cryptokey versions for a cryptokey from storage, filing findings only for keys with active versions. The detector also reads key ring, project, and organization IAM allow policies from storage
  • Real-time scans: Yes

Logging vulnerability findings

Vulnerabilities of this detector type all relate to logging configurations, and belong to the LOGGING_SCANNER detector type.

Detector Summary Asset scan settings
Audit logging disabled

Category name in the API: AUDIT_LOGGING_DISABLED

Finding description: Audit logging has been disabled for this resource.

This finding isn't available for project-level activations.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.1
  • CIS GCP Foundation 1.1: 2.1
  • CIS GCP Foundation 1.2: 2.1
  • CIS GCP Foundation 1.3: 2.1
  • CIS GCP Foundation 2.0: 2.1
  • CIS GCP Foundation 3.0: 2.1
  • NIST 800-53 R4: AC-2, AU-2
  • NIST 800-53 R5: AU-6, AU-7
  • PCI-DSS v3.2.1: 10.1, 10.2
  • PCI-DSS v4.0: 10.4.1, 10.4.1.1, 10.4.2, 10.4.3
  • ISO-27001 v2013: A.12.4.1, A.16.1.7
  • ISO-27001 v2022: A.5.25
  • Cloud Controls Matrix 4: LOG-05
  • NIST Cybersecurity Framework 1.0: DE-AE-2, PR-PT-1, RS-AN-1
  • SOC2 v2017: CC4.1.1, CC4.1.2, CC4.1.3, CC4.1.4, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.3.1, CC7.3.2, CC7.3.3, CC7.3.4, CC7.3.5
  • HIPAA: 164.308(a)(1)(ii), 164.312(b)
  • CIS Controls 8.0: 8.11, 8.2

Checks the IAM allow policy in resource metadata for the existence of an auditLogConfigs object.

  • Real-time scans: Yes
Bucket logging disabled

Category name in the API: BUCKET_LOGGING_DISABLED

Finding description: There is a storage bucket without logging enabled.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 5.3

Checks whether the logBucket field in the bucket's logging property is empty.

  • Real-time scans: Yes
Locked retention policy not set

Category name in the API: LOCKED_RETENTION_POLICY_NOT_SET

Finding description: A locked retention policy is not set for logs.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 2.3
  • CIS GCP Foundation 1.2: 2.3
  • CIS GCP Foundation 1.3: 2.3
  • CIS GCP Foundation 2.0: 2.3
  • CIS GCP Foundation 3.0: 2.3
  • NIST 800-53 R4: AU-11
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 10.5
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.12.4.2, A.18.1.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the isLocked field in the bucket's retentionPolicy property is set to true.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes
Log not exported

Category name in the API: LOG_NOT_EXPORTED

Finding description: There is a resource that doesn't have an appropriate log sink configured.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.2
  • CIS GCP Foundation 1.1: 2.2
  • CIS GCP Foundation 1.2: 2.2
  • CIS GCP Foundation 1.3: 2.2
  • CIS GCP Foundation 2.0: 2.2
  • CIS GCP Foundation 3.0: 2.2
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2013: A.18.1.3
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.3

Retrieves a logSink object in a project, checking that the includeChildren field is set to true, the destination field includes the location to write logs to, and the filter field is populated.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only on project changes, not if log export is set up on folder or organization
Object versioning disabled

Category name in the API: OBJECT_VERSIONING_DISABLED

Finding description: Object versioning isn't enabled on a storage bucket where sinks are configured.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.3
  • NIST 800-53 R4: AU-11
  • PCI-DSS v3.2.1: 10.5
  • ISO-27001 v2013: A.12.4.2, A.18.1.3

Checks whether the enabled field in the bucket's versioning property is set to true.

  • Assets excluded from scans: Cloud Storage buckets with a locked retention policy
  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only if object versioning changes, not if log buckets are created

Monitoring vulnerability findings

Vulnerabilities of this detector type all relate to monitoring configurations, and belong to the MONITORING_SCANNER type. All Monitoring detector finding properties include:

  • The RecommendedLogFilter to use in creating the log metrics.
  • The QualifiedLogMetricNames that cover the conditions listed in the recommended log filter.
  • TheAlertPolicyFailureReasonsthat indicate if the project does not have alert policies created for any of the qualified log metrics or the existing alert policies don't have the recommended settings.
Detector Summary Asset scan settings
Audit config not monitored

Category name in the API: AUDIT_CONFIG_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Audit Configuration changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.5
  • CIS GCP Foundation 1.1: 2.5
  • CIS GCP Foundation 1.2: 2.5
  • CIS GCP Foundation 1.3: 2.5
  • CIS GCP Foundation 2.0: 2.5
  • CIS GCP Foundation 3.0: 2.5
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*, and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
Bucket IAM not monitored

Category name in the API: BUCKET_IAM_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.10
  • CIS GCP Foundation 1.1: 2.10
  • CIS GCP Foundation 1.2: 2.10
  • CIS GCP Foundation 1.3: 2.10
  • CIS GCP Foundation 2.0: 2.10
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions". The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
Custom role not monitored

Category name in the API: CUSTOM_ROLE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Custom Role changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.6
  • CIS GCP Foundation 1.1: 2.6
  • CIS GCP Foundation 1.2: 2.6
  • CIS GCP Foundation 1.3: 2.6
  • CIS GCP Foundation 2.0: 2.6
  • CIS GCP Foundation 3.0: 2.6
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to resource.type="iam_role" AND (protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
Firewall not monitored

Category name in the API: FIREWALL_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.7
  • CIS GCP Foundation 1.1: 2.7
  • CIS GCP Foundation 1.2: 2.7
  • CIS GCP Foundation 1.3: 2.7
  • CIS GCP Foundation 2.0: 2.7
  • CIS GCP Foundation 3.0: 2.7
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.delete"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
Network not monitored

Category name in the API: NETWORK_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC network changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.9
  • CIS GCP Foundation 1.1: 2.9
  • CIS GCP Foundation 1.2: 2.9
  • CIS GCP Foundation 1.3: 2.9
  • CIS GCP Foundation 2.0: 2.9
  • CIS GCP Foundation 3.0: 2.9
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_network" AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
Owner not monitored

Category name in the API: OWNER_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.4
  • CIS GCP Foundation 1.1: 2.4
  • CIS GCP Foundation 1.2: 2.4
  • CIS GCP Foundation 1.3: 2.4
  • CIS GCP Foundation 2.0: 2.4
  • CIS GCP Foundation 3.0: 2.4
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2
Checks whether the filter property of the project's LogsMetric resource is set to (protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"), and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
Route not monitored

Category name in the API: ROUTE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor VPC network route changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.8
  • CIS GCP Foundation 1.1: 2.8
  • CIS GCP Foundation 1.2: 2.8
  • CIS GCP Foundation 1.3: 2.8
  • CIS GCP Foundation 2.0: 2.8
  • CIS GCP Foundation 3.0: 2.8
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert"). The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No
SQL instance not monitored

SQL_INSTANCE_NOT_MONITORED

Finding description: Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 2.8
  • CIS GCP Foundation 1.1: 2.8
  • CIS GCP Foundation 1.2: 2.8
  • CIS GCP Foundation 1.3: 2.8
  • CIS GCP Foundation 2.0: 2.8
  • CIS GCP Foundation 3.0: 2.8
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2, 8.5
Checks whether the filter property of the project's LogsMetric resource is set to protoPayload.methodName="cloudsql.instances.update" OR protoPayload.methodName="cloudsql.instances.create" OR protoPayload.methodName="cloudsql.instances.delete", and if resource.type is specified, that the value is global. The detector also searches for a corresponding alertPolicy resource, checking that the conditions and notificationChannels properties are properly configured.
  • Additional IAM permissions: roles/monitoring.alertPolicyViewer
  • Additional inputs: Reads log metrics for the project from storage. Reads Google Cloud Observability account information from Google Cloud Observability, filing findings only for projects with active accounts
  • Real-time scans: No

Multi-factor authentication findings

The MFA_SCANNER detector identifies vulnerabilities related to multi-factor authentication for users.

Detector Summary Asset scan settings
MFA not enforced

Category name in the API: MFA_NOT_ENFORCED

There are users who aren't using 2-Step Verification.

Google Workspace lets you specify an enrollment grace period for new users during which they must enroll in 2-Step Verification. This detector does create findings for users during the enrollment grace period.

This finding isn't available for project-level activations.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 1.2
  • CIS GCP Foundation 1.1: 1.2
  • CIS GCP Foundation 1.2: 1.2
  • CIS GCP Foundation 1.3: 1.2
  • CIS GCP Foundation 2.0: 1.2
  • CIS GCP Foundation 3.0: 1.2
  • NIST 800-53 R4: IA-2
  • PCI-DSS v3.2.1: 8.3
  • ISO-27001 v2013: A.9.4.2
  • ISO-27001 v2022: A.8.5

Evaluates identity management policies in organizations and user settings for managed accounts in Cloud Identity.

  • Assets excluded from scans: Organization units granted exceptions to the policy
  • Additional inputs: Reads data from Google Workspace
  • Real-time scans: No

Network vulnerability findings

Vulnerabilities of this detector type all relate to an organization's network configurations, and belong to theNETWORK_SCANNERtype.

Detector Summary Asset scan settings
Default network

Category name in the API: DEFAULT_NETWORK

Finding description: The default network exists in a project.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.1
  • CIS GCP Foundation 1.1: 3.1
  • CIS GCP Foundation 1.2: 3.1
  • CIS GCP Foundation 1.3: 3.1
  • CIS GCP Foundation 2.0: 3.1
  • CIS GCP Foundation 3.0: 3.1
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks whether the name property in network metadata is set to default

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Real-time scans: Yes
DNS logging disabled

Category name in the API: DNS_LOGGING_DISABLED

Finding description: DNS logging on a VPC network is not enabled.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network
dns.googleapis.com/Policy

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 2.12
  • CIS GCP Foundation 1.3: 2.12
  • CIS GCP Foundation 2.0: 2.12
  • CIS GCP Foundation 3.0: 2.12
  • NIST 800-53 R5: AU-6, AU-7
  • PCI-DSS v4.0: 10.4.1, 10.4.1.1, 10.4.2, 10.4.3
  • ISO-27001 v2022: A.5.25
  • Cloud Controls Matrix 4: LOG-05
  • NIST Cybersecurity Framework 1.0: DE-AE-2, PR-PT-1, RS-AN-1
  • SOC2 v2017: CC4.1.1, CC4.1.2, CC4.1.3, CC4.1.4, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.3.1, CC7.3.2, CC7.3.3, CC7.3.4, CC7.3.5
  • HIPAA: 164.308(a)(1)(ii), 164.312(b)
  • CIS Controls 8.0: 8.11, 8.2, 8.6

Checks all policies that are associated with a VPC network through the networks[].networkUrl field, and looks for at least one policy that has enableLogging set to true.

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Real-time scans: Yes
Legacy network

Category name in the API: LEGACY_NETWORK

Finding description: A legacy network exists in a project.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Network

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.2
  • CIS GCP Foundation 1.1: 3.2
  • CIS GCP Foundation 1.2: 3.2
  • CIS GCP Foundation 1.3: 3.2
  • CIS GCP Foundation 2.0: 3.2
  • CIS GCP Foundation 3.0: 3.2
  • NIST 800-53 R5: AC-18, CM-2, CM-6, CM-7, CM-9
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.9
  • Cloud Controls Matrix 4: IVS-04
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC5.2.2
  • CIS Controls 8.0: 4.2

Checks network metadata for existence of the IPv4Range property.

  • Assets excluded from scans: Projects where Compute Engine API is disabled and Compute Engine resources are in a frozen state
  • Real-time scans: Yes
Load balancer logging disabled

Category name in the API: LOAD_BALANCER_LOGGING_DISABLED

Finding description: Logging is disabled for the load balancer.

Pricing tier: Premium

Supported assets
compute.googleapis.com/BackendServices

Fix this finding

Compliance standards:

  • CIS GCP Foundation 2.0: 2.16
  • CIS GCP Foundation 3.0: 2.16
  • NIST 800-53 R5: AU-12, AU-2, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1, 10.2.1.2, 10.2.1.3, 10.2.1.4, 10.2.1.5, 10.2.1.6, 10.2.1.7, 10.2.2, 5.3.4, 6.4.1, 6.4.2
  • ISO-27001 v2022: A.8.15, A.8.20
  • Cloud Controls Matrix 4: LOG-08
  • NIST Cybersecurity Framework 1.0: DE-AE-3, PR-PT-1
  • HIPAA: 164.312(b)
  • CIS Controls 8.0: 8.2

Checks whether the enableLogging property of the backend service on the load balancer is set to true.

  • Real-time scans: Yes

Organization Policy vulnerability findings

Vulnerabilities of this detector type all relate to configurations of Organization Policy constraints, and belong to the ORG_POLICY type.

Detector Summary Asset scan settings
Org policy Confidential VM policy

Category name in the API: ORG_POLICY_CONFIDENTIAL_VM_POLICY

Finding description: A Compute Engine resource is out of compliance with the constraints/compute.restrictNonConfidentialComputing organization policy. For more information about this org policy constraint, see Enforcing organization policy constraints in Confidential VM.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks whether the enableConfidentialCompute property of a Compute Engine instance is set to true.

  • Assets excluded from scans: GKE instances
  • Additional IAM permissions: permissions/orgpolicy.policy.get
  • Additional inputs: Reads the effective org policy from the org policy service
  • Real-time scans: No
Org policy location restriction

Category name in the API: ORG_POLICY_LOCATION_RESTRICTION

Finding description: A Compute Engine resource is out of compliance with the constraints/gcp.resourceLocations constraint. For more information about this org policy constraint, see Enforcing organization policy constraints.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Pricing tier: Premium

Supported assets
In the following row, see Supported assets for ORG_POLICY_LOCATION_RESTRICTION

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the listPolicy property in the metadata of supported resources for a list of allowed or denied locations.

  • Additional IAM permissions: permissions/orgpolicy.policy.get
  • Additional inputs: Reads the effective org policy from the org policy service
  • Real-time scans: No

Supported assets for ORG_POLICY_LOCATION_RESTRICTION

Compute Engine
compute.googleapis.com/Autoscaler
compute.googleapis.com/Address
compute.googleapis.com/Commitment
compute.googleapis.com/Disk
compute.googleapis.com/ForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Image
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/InstanceGroupManager
compute.googleapis.com/InterconnectAttachment
compute.googleapis.com/NetworkEndpointGroup
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/PacketMirroring
compute.googleapis.com/RegionBackendService
compute.googleapis.com/RegionDisk
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Reservation
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.google.apis.com/TargetHttpsProxy
compute.googleapis.com/TargetInstance
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetVpnGateway
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnGateway
compute.googleapis.com/VpnTunnel

GKE
container.googleapis.com/Cluster
container.googleapis.com/NodePool

Cloud Storage
storage.googleapis.com/Bucket

Cloud KMS
cloudkms.googleapis.com/CryptoKey1
cloudkms.googleapis.com/CryptoKeyVersion1
cloudkms.googleapis.com/ImportJob2
cloudkms.googleapis.com/KeyRing1

Dataproc
dataproc.googleapis.com/Cluster

BigQuery
bigquery.googleapis.com/Dataset

Dataflow
dataflow.googleapis.com/Job3

Cloud SQL
sqladmin.googleapis.com/Instance

Cloud Composer
composer.googleapis.com/Environment

Logging
logging.googleapis.com/LogBucket

Pub/Sub
pubsub.googleapis.com/Topic

Vertex AI
aiplatform.googleapis.com/BatchPredictionJob
aiplatform.googleapis.com/CustomJob
aiplatform.googleapis.com/Dataset
aiplatform.googleapis.com/Endpoint
aiplatform.googleapis.com/HyperparameterTuningJob
aiplatform.googleapis.com/Model
aiplatform.googleapis.com/SpecialistPool
aiplatform.googleapis.com/TrainingPipeline

Artifact Registry
artifactregistry.googleapis.com/Repository

1 Because Cloud KMS assets cannot be deleted, the asset is not considered out-of-region if the asset's data has been destroyed.

2 Because Cloud KMS import jobs have a controlled lifecycle and cannot be terminated early, an ImportJob is not considered out-of-region if the job is expired and can no longer be used to import keys.

3 Because the lifecycle of Dataflow jobs cannot be managed, a Job is not considered out-of-region once it has reached a terminal state (stopped or drained), where it can no longer be used to process data.

Pub/Sub vulnerability findings

Vulnerabilities of this detector type all relate to Pub/Sub configurations, and belong to the PUBSUB_SCANNER type.

Detector Summary Asset scan settings
Pubsub CMEK disabled

Category name in the API: PUBSUB_CMEK_DISABLED

Finding description: A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
pubsub.googleapis.com/Topic

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the kmsKeyName field for the resource name of your CMEK.

  • Real-time scans: Yes

SQL vulnerability findings

Vulnerabilities of this detector type all relate to Cloud SQL configurations, and belong to the SQL_SCANNER type.

Detector Summary Asset scan settings
AlloyDB auto backup disabled

Category name in the API: ALLOYDB_AUTO_BACKUP_DISABLED

Finding description: An AlloyDB for PostgreSQL cluster doesn't have automatic backups enabled.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • NIST 800-53 R4: CP-9
  • NIST 800-53 R5: CP-10, CP-9
  • ISO-27001 v2013: A.12.3.1
  • ISO-27001 v2022: A.8.13
  • NIST Cybersecurity Framework 1.0: PR-IP-4
  • HIPAA: 164.308(a)(7)(ii)

Checks whether the automated_backup_policy.enabled property in the metadata of an AlloyDB for PostgreSQL cluster is set to true.

  • Assets excluded from scans: AlloyDB for PostgreSQL secondary clusters
  • Real-time scans: Yes
AlloyDB backups disabled

Category name in the API: ALLOYDB_BACKUPS_DISABLED

Finding description: An AlloyDB for PostgreSQL cluster doesn't have backups enabled.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • NIST 800-53 R4: CP-9
  • NIST 800-53 R5: CP-10, CP-9
  • ISO-27001 v2013: A.12.3.1
  • ISO-27001 v2022: A.8.13
  • NIST Cybersecurity Framework 1.0: PR-IP-4
  • HIPAA: 164.308(a)(7)(ii)

Checks whether the automated_backup_policy.enabled or continuous_backup_policy.enabled properties in the metadata of an AlloyDB for PostgreSQL cluster is set to true.

  • Assets excluded from scans: AlloyDB for PostgreSQL secondary clusters
  • Real-time scans: Yes
AlloyDB CMEK disabled

Category name in the API: ALLOYDB_CMEK_DISABLED

Finding description: An AlloyDB cluster is not encrypted with customer-managed encryption keys (CMEK).

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Cluster

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS Controls 8.0: 3.11

Checks the encryption_type field in the cluster metadata to determine whether CMEK is enabled.

  • Real-time scans: Yes
AlloyDB log min error statement severity

Category name in the API: ALLOYDB_LOG_MIN_ERROR_STATEMENT_SEVERITY

Finding description: The log_min_error_statement database flag for an AlloyDB for PostgreSQL instance is not set to error or another recommended value.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Instances

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3

To ensure adequate coverage of message types in the logs, issues a finding if the log_min_error_statement field of the databaseFlags property is not set to one of the following values: debug5, debug4, debug3, debug2, debug1, info, notice, warning, or the default value error.

  • Real-time scans: Yes
AlloyDB log min messages

Category name in the API: ALLOYDB_LOG_MIN_MESSAGES

Finding description: The log_min_messages database flag for an AlloyDB for PostgreSQL instance is not set to warning or another recommended value.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Instances

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3

To ensure adequate coverage of message types in the logs, issues a finding if the log_min_messages field of the databaseFlags property is not set to one of the following values: debug5, debug4, debug3, debug2, debug1, info, notice, or the default value warning.

  • Real-time scans: Yes
AlloyDB log error verbosity

Category name in the API: ALLOYDB_LOG_ERROR_VERBOSITY

Finding description: The log_error_verbosity database flag for an AlloyDB for PostgreSQL instance is not set to default or another recommended value.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Instances

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3

To ensure adequate coverage of message types in the logs, issues a finding if the log_error_verbosity field of the databaseFlags property is not set to one of the following values: verbose or the default value default.

  • Real-time scans: Yes
AlloyDB public IP

Category name in the API: ALLOYDB_PUBLIC_IP

Finding description: An AlloyDB for PostgreSQL database instance has a public IP address.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Instances

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MA-4, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.2, CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3, 4.6

Checks if the instanceNetworkConfig property enablePublicIp field is configured to allow public IP addresses.

  • Real-time scans: Yes
AlloyDB SSL not enforced

Category name in the API: ALLOYDB_SSL_NOT_ENFORCED

Finding description: An AlloyDB for PostgreSQL database instance doesn't require all incoming connections to use SSL.

Pricing tier: Premium

Supported assets
alloydb.googleapis.com/Instances

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 4.1
  • ISO-27001 v2013: A.13.2.1, A.14.1.3, A.8.2.3

Checks whether the sslMode property of the AlloyDB for PostgreSQL instance is set to ENCRYPTED_ONLY.

  • Real-time scans: Yes
Auto backup disabled

Category name in the API: AUTO_BACKUP_DISABLED

Finding description: A Cloud SQL database doesn't have automatic backups enabled.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.7
  • CIS GCP Foundation 1.2: 6.7
  • CIS GCP Foundation 1.3: 6.7
  • CIS GCP Foundation 2.0: 6.7
  • CIS GCP Foundation 3.0: 6.7
  • NIST 800-53 R4: CP-9
  • NIST 800-53 R5: CP-10, CP-9
  • ISO-27001 v2013: A.12.3.1
  • ISO-27001 v2022: A.8.13
  • NIST Cybersecurity Framework 1.0: PR-IP-4
  • HIPAA: 164.308(a)(7)(ii)
  • CIS Controls 8.0: 11.2

Checks whether the backupConfiguration.enabled property of an Cloud SQL data is set to true.

  • Assets excluded from scans: Cloud SQL replicas
  • Additional inputs: Reads IAM allow policies for ancestors from Security Health Analytics asset storage
  • Real-time scans: Yes
Public SQL instance

Category name in the API: PUBLIC_SQL_INSTANCE

Finding description: A Cloud SQL database instance accepts connections from all IP addresses.

Pricing tier: Premium or Standard

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 6.2
  • CIS GCP Foundation 1.1: 6.5
  • CIS GCP Foundation 1.2: 6.5
  • CIS GCP Foundation 1.3: 6.5
  • CIS GCP Foundation 2.0: 6.5
  • CIS GCP Foundation 3.0: 6.5
  • NIST 800-53 R4: CA-3, SC-7
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 1.2.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.13.1.3, A.14.1.3, A.8.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the authorizedNetworks property of Cloud SQL instances is set to a single IP address or an IP address range.

  • Real-time scans: Yes
SSL not enforced

Category name in the API: SSL_NOT_ENFORCED

Finding description: A Cloud SQL database instance doesn't require all incoming connections to use SSL.

Pricing tier: Premium or Standard

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • NIST 800-53 R4: SC-7
  • PCI-DSS v3.2.1: 4.1
  • ISO-27001 v2013: A.13.2.1, A.14.1.3, A.8.2.3

Checks whether the sslMode property of the Cloud SQL instance is set to an approved SSL mode, either ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED.

  • Real-time scans: Yes
SQL CMEK disabled

Category name in the API: SQL_CMEK_DISABLED

Finding description: A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the kmsKeyName field in the diskEncryptionKey object, in instance metadata, for the resource name of your CMEK.

  • Real-time scans: Yes
SQL contained database authentication

Category name in the API: SQL_CONTAINED_DATABASE_AUTHENTICATION

Finding description: The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.3.2
  • CIS GCP Foundation 1.2: 6.3.7
  • CIS GCP Foundation 1.3: 6.3.7
  • CIS GCP Foundation 2.0: 6.3.7
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the databaseFlags property of instance metadata for the key-value pair, "name": "contained database authentication", "value": "on" or whether it is enabled by default.

  • Real-time scans: Yes
SQL cross DB ownership chaining

Category name in the API: SQL_CROSS_DB_OWNERSHIP_CHAINING

Finding description: The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.3.1
  • CIS GCP Foundation 1.2: 6.3.2
  • CIS GCP Foundation 1.3: 6.3.2
  • CIS GCP Foundation 2.0: 6.3.2
  • CIS GCP Foundation 3.0: 6.3.2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the databaseFlags property of instance metadata for the key-value pair "name": "cross_db_ownership_chaining", "value": "on".

  • Real-time scans: Yes
SQL external scripts enabled

Category name in the API: SQL_EXTERNAL_SCRIPTS_ENABLED

Finding description: The external scripts enabled database flag for a Cloud SQL for SQL Server instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.3.1
  • CIS GCP Foundation 1.3: 6.3.1
  • CIS GCP Foundation 2.0: 6.3.1
  • CIS GCP Foundation 3.0: 6.3.1
  • NIST 800-53 R5: CM-7, SI-7
  • PCI-DSS v4.0: 1.2.5, 2.2.4, 6.4.3
  • NIST Cybersecurity Framework 1.0: PR-IP-1, PR-PT-3
  • SOC2 v2017: CC5.2.1, CC5.2.2, CC5.2.3, CC5.2.4
  • CIS Controls 8.0: 2.7

Checks the databaseFlags property of instance metadata for the key-value pair "name": "external scripts enabled", "value": "off".

  • Real-time scans: Yes
SQL local infile

Category name in the API: SQL_LOCAL_INFILE

Finding description: The local_infile database flag for a Cloud SQL for MySQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.1.2
  • CIS GCP Foundation 1.2: 6.1.3
  • CIS GCP Foundation 1.3: 6.1.3
  • CIS GCP Foundation 2.0: 6.1.3
  • CIS GCP Foundation 3.0: 6.1.3
  • NIST 800-53 R5: CM-6, CM-7
  • PCI-DSS v4.0: 2.2.1
  • ISO-27001 v2022: A.8.8
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • CIS Controls 8.0: 16.7

Checks the databaseFlags property of instance metadata for the key-value pair "name": "local_infile", "value": "on".

  • Real-time scans: Yes
SQL log checkpoints disabled

Category name in the API: SQL_LOG_CHECKPOINTS_DISABLED

Finding description: The log_checkpoints database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.1
  • CIS GCP Foundation 1.2: 6.2.1

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_checkpoints", "value": "on".

  • Real-time scans: Yes
SQL log connections disabled

Category name in the API: SQL_LOG_CONNECTIONS_DISABLED

Finding description: The log_connections database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.2
  • CIS GCP Foundation 1.2: 6.2.3
  • CIS GCP Foundation 1.3: 6.2.2
  • CIS GCP Foundation 2.0: 6.2.2
  • CIS GCP Foundation 3.0: 6.2.2
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_connections", "value": "on".

  • Real-time scans: Yes
SQL log disconnections disabled

Category name in the API: SQL_LOG_DISCONNECTIONS_DISABLED

Finding description: The log_disconnections database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.3
  • CIS GCP Foundation 1.2: 6.2.4
  • CIS GCP Foundation 1.3: 6.2.3
  • CIS GCP Foundation 2.0: 6.2.3
  • CIS GCP Foundation 3.0: 6.2.3
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_disconnections", "value": "on".

  • Real-time scans: Yes
SQL log duration disabled

Category name in the API: SQL_LOG_DURATION_DISABLED

Finding description: The log_duration database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.5

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_duration", "value": "on".

  • Real-time scans: Yes
SQL log error verbosity

Category name in the API: SQL_LOG_ERROR_VERBOSITY

Finding description: The log_error_verbosity database flag for a Cloud SQL for PostgreSQL instance is not set to default or verbose.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.2
  • CIS GCP Foundation 1.3: 6.2.1
  • CIS GCP Foundation 2.0: 6.2.1
  • CIS GCP Foundation 3.0: 6.2.1
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

Checks if the databaseFlags property of instance metadata for the log_error_verbosity field is set to default or verbose.

  • Real-time scans: Yes
SQL log lock waits disabled

Category name in the API: SQL_LOG_LOCK_WAITS_DISABLED

Finding description: The log_lock_waits database flag for a Cloud SQL for PostgreSQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.4
  • CIS GCP Foundation 1.2: 6.2.6

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_lock_waits", "value": "on".

  • Real-time scans: Yes
SQL log min duration statement enabled

Category name in the API: SQL_LOG_MIN_DURATION_STATEMENT_ENABLED

Finding description: The log_min_duration_statement database flag for a Cloud SQL for PostgreSQL instance is not set to "-1".

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.7
  • CIS GCP Foundation 1.2: 6.2.16
  • CIS GCP Foundation 1.3: 6.2.8
  • CIS GCP Foundation 2.0: 6.2.7
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_min_duration_statement", "value": "-1".

  • Real-time scans: Yes
SQL log min error statement

Category name in the API: SQL_LOG_MIN_ERROR_STATEMENT

Finding description: The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.5

Checks whether the log_min_error_statement field of the databaseFlags property is set to one of the following values: debug5, debug4, debug3, debug2, debug1, info, notice, warning, or the default value error.

  • Real-time scans: Yes
SQL log min error statement severity

Category name in the API: SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY

Finding description: The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.14
  • CIS GCP Foundation 1.3: 6.2.7
  • CIS GCP Foundation 2.0: 6.2.6
  • CIS GCP Foundation 3.0: 6.2.6
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

Checks whether the log_min_error_statement field of the databaseFlags property is set to one of the following values: error, log, fatal, or panic.

  • Real-time scans: Yes
SQL log min messages

Category name in the API: SQL_LOG_MIN_MESSAGES

Finding description: The log_min_messages database flag for a Cloud SQL for PostgreSQL instance is not set to warning or another recommended value.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.13
  • CIS GCP Foundation 1.3: 6.2.6
  • CIS GCP Foundation 2.0: 6.2.5
  • CIS GCP Foundation 3.0: 6.2.5
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

To ensure adequate coverage of message types in the logs, issues a finding if the log_min_messages field of the databaseFlags property is not set to one of the following values: debug5, debug4, debug3, debug2, debug1, info, notice, or the default value warning.

  • Real-time scans: Yes
SQL log executor stats enabled

Category name in the API: SQL_LOG_EXECUTOR_STATS_ENABLED

Finding description: The log_executor_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.11

Checks if the databaseFlags property of instance metadata for the log_executor_stats field is set to on.

  • Real-time scans: Yes
SQL log hostname enabled

Category name in the API: SQL_LOG_HOSTNAME_ENABLED

Finding description: The log_hostname database flag for a Cloud SQL for PostgreSQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.8

Checks if the databaseFlags property of instance metadata for the log_hostname field is set to on.

  • Real-time scans: Yes
SQL log parser stats enabled

Category name in the API: SQL_LOG_PARSER_STATS_ENABLED

Finding description: The log_parser_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.9

Checks if the databaseFlags property of instance metadata for the log_parser_stats field is set to on.

  • Real-time scans: Yes
SQL log planner stats enabled

Category name in the API: SQL_LOG_PLANNER_STATS_ENABLED

Finding description: The log_planner_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.10

Checks if the databaseFlags property of instance metadata for the log_planner_stats field is set to on.

  • Real-time scans: Yes
SQL log statement

Category name in the API: SQL_LOG_STATEMENT

Finding description: The log_statement database flag for a Cloud SQL for PostgreSQL instance is not set to ddl (all data definition statements).

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.7
  • CIS GCP Foundation 1.3: 6.2.4
  • CIS GCP Foundation 2.0: 6.2.4
  • CIS GCP Foundation 3.0: 6.2.4
  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS Controls 8.0: 8.5

Checks if the databaseFlags property of instance metadata for the log_statement field is set to ddl.

  • Real-time scans: Yes
SQL log statement stats enabled

Category name in the API: SQL_LOG_STATEMENT_STATS_ENABLED

Finding description: The log_statement_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.2.12

Checks if the databaseFlags property of instance metadata for the log_statement_stats field is set to on.

  • Real-time scans: Yes
SQL log temp files

Category name in the API: SQL_LOG_TEMP_FILES

Finding description: The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0".

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.2.6
  • CIS GCP Foundation 1.2: 6.2.15

Checks the databaseFlags property of instance metadata for the key-value pair "name": "log_temp_files", "value": "0".

  • Real-time scans: Yes
SQL no root password

Category name in the API: SQL_NO_ROOT_PASSWORD

Finding description: A Cloud SQL database that has a public IP address doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 6.3
  • CIS GCP Foundation 1.1: 6.1.1
  • CIS GCP Foundation 1.2: 6.1.1
  • CIS GCP Foundation 1.3: 6.1.1
  • CIS GCP Foundation 2.0: 6.1.1
  • CIS GCP Foundation 3.0: 6.1.1
  • NIST 800-53 R4: AC-3
  • PCI-DSS v3.2.1: 2.1
  • ISO-27001 v2013: A.8.2.3, A.9.4.2
  • ISO-27001 v2022: A.8.5

Checks whether the rootPassword property of the root account is empty.

  • Additional IAM permissions: roles/cloudsql.client
  • Additional inputs: Queries live instances
  • Real-time scans: No
SQL public IP

Category name in the API: SQL_PUBLIC_IP

Finding description: A Cloud SQL database has a public IP address.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.1: 6.6
  • CIS GCP Foundation 1.2: 6.6
  • CIS GCP Foundation 1.3: 6.6
  • CIS GCP Foundation 2.0: 6.2.9, 6.6
  • CIS GCP Foundation 3.0: 6.2.9, 6.6
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MA-4, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.2, CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3, 4.6

Checks whether the IP address type of an Cloud SQL database is set to Primary, indicating it is public.

  • Real-time scans: Yes
SQL remote access enabled

Category name in the API: SQL_REMOTE_ACCESS_ENABLED

Finding description: The remote access database flag for a Cloud SQL for SQL Server instance is not set to off.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.3.5
  • CIS GCP Foundation 1.3: 6.3.5
  • CIS GCP Foundation 2.0: 6.3.5
  • CIS GCP Foundation 3.0: 6.3.5
  • NIST 800-53 R5: CM-6, CM-7
  • PCI-DSS v4.0: 1.2.5, 2.2.4, 6.4.1
  • ISO-27001 v2022: A.8.9
  • SOC2 v2017: CC6.6.1, CC6.6.3, CC6.6.4
  • CIS Controls 8.0: 4.8

Checks the databaseFlags property of instance metadata for the key-value pair "name": "remote access", "value": "off".

  • Real-time scans: Yes
SQL skip show database disabled

Category name in the API: SQL_SKIP_SHOW_DATABASE_DISABLED

Finding description: The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.1.2
  • CIS GCP Foundation 1.3: 6.1.2
  • CIS GCP Foundation 2.0: 6.1.2
  • CIS GCP Foundation 3.0: 6.1.2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the databaseFlags property of instance metadata for the key-value pair "name": "skip_show_database", "value": "on".

  • Real-time scans: Yes
SQL trace flag 3625

Category name in the API: SQL_TRACE_FLAG_3625

Finding description: The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.3.6
  • CIS GCP Foundation 2.0: 6.3.6
  • CIS GCP Foundation 3.0: 6.3.6
  • NIST 800-53 R5: CM-1, CM-2, CM-6, CM-7, CM-9, SA-10, SA-3, SA-8
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.1, A.8.9
  • Cloud Controls Matrix 4: CCC-01
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC7.1.2, CC7.1.3, CC7.1.4, CC8.1.1, CC8.1.10, CC8.1.11, CC8.1.12, CC8.1.13, CC8.1.14, CC8.1.15, CC8.1.2, CC8.1.3, CC8.1.4, CC8.1.5, CC8.1.6, CC8.1.7, CC8.1.8, CC8.1.9
  • CIS Controls 8.0: 4.1

Checks the databaseFlags property of instance metadata for the key-value pair "name": "3625 (trace flag)", "value": "on".

  • Real-time scans: Yes
SQL user connections configured

Category name in the API: SQL_USER_CONNECTIONS_CONFIGURED

Finding description: The user connections database flag for a Cloud SQL for SQL Server instance is configured.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.3.3
  • CIS GCP Foundation 1.3: 6.3.3
  • CIS GCP Foundation 2.0: 6.3.3
  • CIS GCP Foundation 3.0: 6.3.3
  • NIST 800-53 R5: CM-1, CM-2, CM-6, CM-7, CM-9, SA-10, SA-3, SA-8
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.1, A.8.9
  • Cloud Controls Matrix 4: CCC-01
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC7.1.2, CC7.1.3, CC7.1.4, CC8.1.1, CC8.1.10, CC8.1.11, CC8.1.12, CC8.1.13, CC8.1.14, CC8.1.15, CC8.1.2, CC8.1.3, CC8.1.4, CC8.1.5, CC8.1.6, CC8.1.7, CC8.1.8, CC8.1.9
  • CIS Controls 8.0: 4.1

Checks the databaseFlags property of instance metadata for the key-value pair "name": "user connections", "value": "0".

  • Real-time scans: Yes
SQL user options configured

Category name in the API: SQL_USER_OPTIONS_CONFIGURED

Finding description: The user options database flag for a Cloud SQL for SQL Server instance is configured.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 6.3.4
  • CIS GCP Foundation 1.3: 6.3.4
  • CIS GCP Foundation 2.0: 6.3.4
  • CIS GCP Foundation 3.0: 6.3.4
  • NIST 800-53 R5: CM-1, CM-2, CM-6, CM-7, CM-9, SA-10, SA-3, SA-8
  • PCI-DSS v4.0: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.5.1, 2.1.1, 2.2.1
  • ISO-27001 v2022: A.8.1, A.8.9
  • Cloud Controls Matrix 4: CCC-01
  • NIST Cybersecurity Framework 1.0: PR-IP-1
  • SOC2 v2017: CC7.1.2, CC7.1.3, CC7.1.4, CC8.1.1, CC8.1.10, CC8.1.11, CC8.1.12, CC8.1.13, CC8.1.14, CC8.1.15, CC8.1.2, CC8.1.3, CC8.1.4, CC8.1.5, CC8.1.6, CC8.1.7, CC8.1.8, CC8.1.9
  • CIS Controls 8.0: 4.1

Checks the databaseFlags property of instance metadata for the key-value pair "name": "user options", "value": "" (empty).

  • Real-time scans: Yes
SQL weak root password

Category name in the API: SQL_WEAK_ROOT_PASSWORD

Finding description: A Cloud SQL database that has a public IP address also has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
sqladmin.googleapis.com/Instance

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Compares the password for the root account of your Cloud SQL database to a list of common passwords.

  • Additional IAM permissions: roles/cloudsql.client
  • Additional inputs: Queries live instances
  • Real-time scans: No

Storage vulnerability findings

Vulnerabilities of this detector type all relate to Cloud Storage Buckets configurations, and belong to theSTORAGE_SCANNERtype.

Detector Summary Asset scan settings
Bucket CMEK disabled

Category name in the API: BUCKET_CMEK_DISABLED

Finding description: A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks the encryption field in bucket metadata for the resource name of your CMEK.

  • Real-time scans: Yes
Bucket policy only disabled

Category name in the API: BUCKET_POLICY_ONLY_DISABLED

Finding description: Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.2: 5.2
  • CIS GCP Foundation 1.3: 5.2
  • CIS GCP Foundation 2.0: 5.2
  • CIS GCP Foundation 3.0: 5.2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks whether the uniformBucketLevelAccess property on a bucket is set to "enabled":false

  • Real-time scans: Yes
Public bucket ACL

Category name in the API: PUBLIC_BUCKET_ACL

Finding description: A Cloud Storage bucket is publicly accessible.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 5.1
  • CIS GCP Foundation 1.1: 5.1
  • CIS GCP Foundation 1.2: 5.1
  • CIS GCP Foundation 1.3: 5.1
  • CIS GCP Foundation 2.0: 5.1
  • CIS GCP Foundation 3.0: 5.1
  • NIST 800-53 R4: AC-2
  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 7.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2013: A.14.1.3, A.8.2.3
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS Controls 8.0: 3.3

Checks the IAM allow policy of a bucket for public roles, allUsers or allAuthenticatedUsers.

  • Real-time scans: Yes
Public log bucket

Category name in the API: PUBLIC_LOG_BUCKET

Finding description: A storage bucket used as a log sink is publicly accessible.

This finding isn't available for project-level activations.

Pricing tier: Premium or Standard

Supported assets
storage.googleapis.com/Bucket

Fix this finding

Compliance standards:

  • NIST 800-53 R4: AU-9
  • PCI-DSS v3.2.1: 10.5
  • ISO-27001 v2013: A.12.4.2, A.18.1.3, A.8.2.3

Checks the IAM allow policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.

  • Additional inputs: Reads the log sink (the log filter and log destination) for a bucket to determine whether it is a log bucket
  • Real-time scans: Yes, but only if IAM policy on bucket changes, not if log sink is changed

Subnetwork vulnerability findings

Vulnerabilities of this detector type all relate to an organization's subnetwork configurations, and belong to theSUBNETWORK_SCANNERtype.

Detector Summary Asset scan settings
Flow logs disabled

Category name in the API: FLOW_LOGS_DISABLED

Finding description: There is a VPC subnetwork that has flow logs disabled.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Subnetwork

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.9
  • CIS GCP Foundation 1.1: 3.8
  • CIS GCP Foundation 1.2: 3.8
  • NIST 800-53 R4: SI-4
  • PCI-DSS v3.2.1: 10.1, 10.2
  • ISO-27001 v2013: A.13.1.1

Checks whether the enableFlowLogs property of Compute Engine subnetworks is missing or set to false.

  • Assets excluded from scans: Serverless VPC Access, load balancer subnetworks
  • Real-time scans: Yes

Finding description: For a VPC subnetwork, VPC Flow Logs is either off or is not configured according to CIS Benchmark 1.3 recommendations. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.

Pricing tier: Premium

Supported assets
compute.googleapis.com/Subnetwork

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.3: 3.8
  • CIS GCP Foundation 2.0: 3.8
  • CIS GCP Foundation 3.0: 3.8
  • NIST 800-53 R5: SI-4
  • ISO-27001 v2022: A.8.15, A.8.16
  • Cloud Controls Matrix 4: IVS-03
  • NIST Cybersecurity Framework 1.0: DE-CM-1
  • SOC2 v2017: CC7.2.1, CC7.2.2, CC7.2.3, CC7.2.4
  • CIS Controls 8.0: 13.6, 8.2

Checks whether the enableFlowLogs property of VPC subnetworks is missing or set to false. If VPC Flow Logs is enabled, checks the Aggregation Interval property set to 5 SEC, the Include metadata set to true, the Sample rate to 100%.

  • Assets excluded from scans: Serverless VPC Access, load balancer subnetworks
  • Real-time scans: Yes
Private Google access disabled

Category name in the API: PRIVATE_GOOGLE_ACCESS_DISABLED

Finding description: There are private subnetworks without access to Google public APIs.

Pricing tier: Premium

Supported assets
storage.googleapis.com/Bucket
compute.googleapis.com/Subnetwork

Fix this finding

Compliance standards:

  • CIS GCP Foundation 1.0: 3.8

Checks whether the privateIpGoogleAccess property of Compute Engine subnetworks is set to false.

  • Real-time scans: Yes

AWS findings

Detector Summary Asset scan settings

AWS Cloud Shell Full Access Restricted

Category name in the API: ACCESS_AWSCLOUDSHELLFULLACCESS_RESTRICTED

Finding description:

AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • CIS AWS Foundation 2.0.0: 1.22
  • CIS AWS Foundation 3.0.0: 1.22

Ensure access to AWSCloudShellFullAccess is restricted

  • Real-time scans: No

Access Keys Rotated Every 90 Days or Less

Category name in the API: ACCESS_KEYS_ROTATED_90_DAYS_LESS

Finding description:

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3(15)
  • PCI-DSS v3.2.1: 8.2.4
  • CIS AWS Foundation 2.0.0: 1.14
  • CIS AWS Foundation 3.0.0: 1.14
  • CIS Controls 8.0: 5

Ensure access keys are rotated every 90 days or less

  • Real-time scans: No

All Expired Ssl Tls Certificates Stored Aws Iam Removed

Category name in the API: ALL_EXPIRED_SSL_TLS_CERTIFICATES_STORED_AWS_IAM_REMOVED

Finding description:

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.
Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AU-11, CM-12, SI-12
  • PCI-DSS v4.0: 9.4.2
  • ISO-27001 v2022: A.5.10, A.5.9, A.8.1
  • Cloud Controls Matrix 4: DSP-01
  • NIST Cybersecurity Framework 1.0: PR-IP-6
  • CIS AWS Foundation 2.0.0: 1.19
  • CIS AWS Foundation 3.0.0: 1.19
  • CIS Controls 8.0: 3.1

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

  • Real-time scans: No

Autoscaling Group Elb Healthcheck Required

Category name in the API: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED

Finding description:

This checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-2

Checks that all autoscaling groups assoc with a load balancer use healthchecks

  • Real-time scans: No

Auto Minor Version Upgrade Feature Enabled Rds Instances

Category name in the API: AUTO_MINOR_VERSION_UPGRADE_FEATURE_ENABLED_RDS_INSTANCES

Finding description:

Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: RA-5, RA-7, SI-2
  • ISO-27001 v2022: A.8.8
  • Cloud Controls Matrix 4: UEM-03
  • NIST Cybersecurity Framework 1.0: ID-RA-1
  • SOC2 v2017: CC7.1.1, CC7.1.2, CC7.1.3, CC7.1.4, CC7.1.5
  • CIS AWS Foundation 2.0.0: 2.3.2
  • CIS AWS Foundation 3.0.0: 2.3.2
  • CIS Controls 8.0: 7.4

Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances

  • Real-time scans: No

Aws Config Enabled All Regions

Category name in the API: AWS_CONFIG_ENABLED_ALL_REGIONS

Finding description:

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: CM-8, PM-5
  • PCI-DSS v4.0: 11.2.1, 11.2.2, 12.5.1, 9.5.1, 9.5.1.1
  • ISO-27001 v2022: A.5.9, A.8.8
  • Cloud Controls Matrix 4: UEM-04
  • NIST Cybersecurity Framework 1.0: ID-AM-1, PR-DS-3
  • SOC2 v2017: CC3.2.6, CC6.1.1
  • HIPAA: 164.310(d)(2)(iii)
  • CIS AWS Foundation 2.0.0: 3.5
  • CIS AWS Foundation 3.0.0: 3.5
  • CIS Controls 8.0: 1.1

Ensure AWS Config is enabled in all regions

  • Real-time scans: No

Aws Security Hub Enabled

Category name in the API: AWS_SECURITY_HUB_ENABLED

Finding description:

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: CA-7
  • PCI-DSS v3.2.1: 11.5
  • CIS AWS Foundation 2.0.0: 4.16
  • CIS AWS Foundation 3.0.0: 4.16

Ensure AWS Security Hub is enabled

  • Real-time scans: No

Cloudtrail Logs Encrypted Rest Using Kms Cmks

Category name in the API: CLOUDTRAIL_LOGS_ENCRYPTED_REST_USING_KMS_CMKS

Finding description:

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SC-28, SI-7(6)
  • PCI-DSS v3.2.1: 10.5.2
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS AWS Foundation 2.0.0: 3.7
  • CIS AWS Foundation 3.0.0: 3.5
  • CIS Controls 8.0: 3.11

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

  • Real-time scans: No

Cloudtrail Log File Validation Enabled

Category name in the API: CLOUDTRAIL_LOG_FILE_VALIDATION_ENABLED

Finding description:

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AU-6, AU-7, SI-7(7)
  • PCI-DSS v3.2.1: 11.5
  • PCI-DSS v4.0: 10.4.1, 10.4.1.1, 10.4.2, 10.4.3
  • ISO-27001 v2022: A.5.25
  • Cloud Controls Matrix 4: LOG-05
  • NIST Cybersecurity Framework 1.0: DE-AE-2, PR-PT-1, RS-AN-1
  • SOC2 v2017: CC4.1.1, CC4.1.2, CC4.1.3, CC4.1.4, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.3.1, CC7.3.2, CC7.3.3, CC7.3.4, CC7.3.5
  • HIPAA: 164.308(a)(1)(ii), 164.312(b)
  • CIS AWS Foundation 2.0.0: 3.2
  • CIS AWS Foundation 3.0.0: 3.2
  • CIS Controls 8.0: 8.11

Ensure CloudTrail log file validation is enabled

  • Real-time scans: No

Cloudtrail Trails Integrated Cloudwatch Logs

Category name in the API: CLOUDTRAIL_TRAILS_INTEGRATED_CLOUDWATCH_LOGS

Finding description:

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.

Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AU-12, AU-3, AU-7
  • PCI-DSS v4.0: 10.2.1, 10.2.1.2, 10.2.1.5, 9.4.5
  • ISO-27001 v2022: A.5.28, A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: DE-AE-3, DE-CM-1
  • SOC2 v2017: CC5.2.3, CC7.2.1, CC7.2.2, CC7.2.3
  • CIS AWS Foundation 2.0.0: 3.4
  • CIS Controls 8.0: 8.5, 8.9

Ensure CloudTrail trails are integrated with CloudWatch Logs

  • Real-time scans: No

Cloudwatch Alarm Action Check

Category name in the API: CLOUDWATCH_ALARM_ACTION_CHECK

Finding description:

This checks whether Amazon Cloudwatch has actions defined when an alarm transitions between the states 'OK', 'ALARM' and 'INSUFFICIENT_DATA'.

Configuring actions for the ALARM state in Amazon CloudWatch alarms is very important to trigger an immediate response when monitored metrics breach thresholds.
It ensures quick problem resolution, reduces downtime and enables automated remediation, maintaining system health and preventing outages.

Alarms have at least one action.
Alarms have at least one action when the alarm transitions to the 'INSUFFICIENT_DATA' state from any other state.
(Optional) Alarms have at least one action when the alarm transitions to an 'OK' state from any other state.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-20

Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled.

  • Real-time scans: No

Cloudwatch Log Group Encrypted

Category name in the API: CLOUDWATCH_LOG_GROUP_ENCRYPTED

Finding description:

This check ensures CloudWatch logs are configured with KMS.

Log group data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption for the log data at rest. As an alternative, you can use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS key. Encryption using AWS KMS is enabled at the log group level, by associating a KMS key with a log group, either when you create the log group or after it exists.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 3.4

Checks that all log groups in Amazon CloudWatch Logs are encrypted with KMS

  • Real-time scans: No

CloudTrail CloudWatch Logs Enabled

Category name in the API: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED

Finding description:

This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the CloudWatchLogsLogGroupArn property of the trail is empty.

CloudTrail records AWS API calls that are made in a given account. The recorded information includes the following:

  • The identity of the API caller
  • The time of the API call
  • The source IP address of the API caller
  • The request parameters
  • The response elements returned by the AWS service

CloudTrail uses Amazon S3 for log file storage and delivery. You can capture CloudTrail logs in a specified S3 bucket for long-term analysis. To perform real-time analysis, you can configure CloudTrail to send logs to CloudWatch Logs.

For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all of those Regions to a CloudWatch Logs log group.

Security Hub recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your AWS services. This recommendation does not preclude the use of a different solution.

Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-20
  • PCI-DSS v3.2.1: 10.5.3

Checks that all CloudTrail trails are configured to send logs to AWS CloudWatch

  • Real-time scans: No

No AWS Credentials in CodeBuild Project Environment Variables

Category name in the API: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK

Finding description:

This checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SA-3

Checks that all projects containing env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not in plaintext

  • Real-time scans: No

Codebuild Project Source Repo Url Check

Category name in the API: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK

Finding description:

This checks whether an AWS CodeBuild project Bitbucket source repository URL contains personal access tokens or a user name and password. The control fails if the Bitbucket source repository URL contains personal access tokens or a user name and password.

Sign-in credentials shouldn't be stored or transmitted in clear text or appear in the source repository URL. Instead of personal access tokens or sign-in credentials, you should access your source provider in CodeBuild, and change your source repository URL to contain only the path to the Bitbucket repository location. Using personal access tokens or sign-in credentials could result in unintended data exposure or unauthorized access.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks that all projects using github or bitbucket as the source use oauth

  • Real-time scans: No

Credentials Unused 45 Days Greater Disabled

Category name in the API: CREDENTIALS_UNUSED_45_DAYS_GREATER_DISABLED

Finding description:

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-2
  • PCI-DSS v4.0: 8.3.7
  • NIST Cybersecurity Framework 1.0: PR-AC-1
  • CIS AWS Foundation 2.0.0: 1.12
  • CIS AWS Foundation 3.0.0: 1.12
  • CIS Controls 8.0: 5.3

Ensure credentials unused for 45 days or greater are disabled

  • Real-time scans: No

Default Security Group Vpc Restricts All Traffic

Category name in the API: DEFAULT_SECURITY_GROUP_VPC_RESTRICTS_ALL_TRAFFIC

Finding description:

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 5.4
  • CIS AWS Foundation 3.0.0: 5.4
  • CIS Controls 8.0: 3.3

Ensure the default security group of every VPC restricts all traffic

  • Real-time scans: No

Dms Replication Not Public

Category name in the API: DMS_REPLICATION_NOT_PUBLIC

Finding description:

Checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field.

A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see Public and private replication instances in the AWS Database Migration Service User Guide.

You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Checks whether AWS Database Migration Service replication instances are public

  • Real-time scans: No

Do Setup Access Keys During Initial User Setup All Iam Users Console

Category name in the API: DO_SETUP_ACCESS_KEYS_DURING_INITIAL_USER_SETUP_ALL_IAM_USERS_CONSOLE

Finding description:

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require.

Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.

AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 1.11
  • CIS AWS Foundation 3.0.0: 1.11
  • CIS Controls 8.0: 3.3, 5.4

Do not setup access keys during initial user setup for all IAM users that have a console password

  • Real-time scans: No

Dynamodb Autoscaling Enabled

Category name in the API: DYNAMODB_AUTOSCALING_ENABLED

Finding description:

This checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.

DynamoDB tables in on-demand capacity mode are only limited by the DynamoDB throughput default table quotas. To raise these quotas, you can file a support ticket through AWS Support.

DynamoDB tables in provisioned mode with auto scaling adjust the provisioned throughput capacity dynamically in response to traffic patterns. For additional information on DynamoDB request throttling, see Request throttling and burst capacity in the Amazon DynamoDB Developer Guide.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

DynamoDB tables should automatically scale capacity with demand

  • Real-time scans: No

Dynamodb In Backup Plan

Category name in the API: DYNAMODB_IN_BACKUP_PLAN

Finding description:

This control evaluates whether a DynamoDB table is covered by a backup plan. The control fails if a DynamoDB table isn't covered by a backup plan. This control only evaluates DynamoDB tables that are in the ACTIVE state.

Backups help you recover more quickly from a security incident. They also strengthen the resilience of your systems. Including DynamoDB tables in a backup plan helps you protect your data from unintended loss or deletion.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

DynamoDB tables should be covered by a backup plan

  • Real-time scans: No

Dynamodb Pitr Enabled

Category name in the API: DYNAMODB_PITR_ENABLED

Finding description:

Point In Time Recovery (PITR) is one of the mechanisms available to backup DynamoDB tables.

A point in time backup is kept for 35 days. In case your requirement is for longer retention, please see Set up scheduled backups for Amazon DynamoDB using AWS Backup in the AWS Documentation.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

Checks that point in time recovery (PITR) is enabled for all AWS DynamoDB tables

  • Real-time scans: No

Dynamodb Table Encrypted Kms

Category name in the API: DYNAMODB_TABLE_ENCRYPTED_KMS

Finding description:

Checks whether all DynamoDB tables are encrypted with a customer managed KMS key (non-default).

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)

Checks that all DynamoDB tables are encrypted with AWS Key Management Service (KMS)

  • Real-time scans: No

Ebs Optimized Instance

Category name in the API: EBS_OPTIMIZED_INSTANCE

Finding description:

Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-5(2)

Checks that EBS optimization is enabled for all instances that support EBS optimization

  • Real-time scans: No

Ebs Snapshot Public Restorable Check

Category name in the API: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK

Finding description:

Checks whether Amazon Elastic Block Store snapshots are not public. The control fails if Amazon EBS snapshots are restorable by anyone.

EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Amazon EBS snapshots should not be publicly restorable

  • Real-time scans: No

Ebs Volume Encryption Enabled All Regions

Category name in the API: EBS_VOLUME_ENCRYPTION_ENABLED_ALL_REGIONS

Finding description:

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SC-28, SI-7(6)
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS AWS Foundation 2.0.0: 2.2.1
  • CIS AWS Foundation 3.0.0: 2.2.1
  • CIS Controls 8.0: 3.11

Ensure EBS Volume Encryption is Enabled in all Regions

  • Real-time scans: No

Ec2 Instances In Vpc

Category name in the API: EC2_INSTANCES_IN_VPC

Finding description:

Amazon VPC provides more security functionality than EC2 Classic. It is recommended that all nodes belong to an Amazon VPC.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7

Ensures that all instances belong to a VPC

  • Real-time scans: No

Ec2 Instance No Public Ip

Category name in the API: EC2_INSTANCE_NO_PUBLIC_IP

Finding description:

EC2 instances that have a public IP address are at an increased risk of compromise. It is recommended that EC2 instances not be configured with a public IP address.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Ensures no instances have a public IP

  • Real-time scans: No

Ec2 Managedinstance Association Compliance Status Check

Category name in the API: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK

Finding description:

A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. EC2 instances that have an association with AWS Systems Manager are under management of Systems Manager which makes it easier to apply patches, fix misconfigurations, and respond to security events.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 6.2

Checks the compliance status AWS systems manager association

  • Real-time scans: No

Ec2 Managedinstance Patch Compliance Status Check

Category name in the API: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK

Finding description:

This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control fails if the association compliance status is NON_COMPLIANT.

A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances or that certain ports must be closed.

After you create one or more State Manager associations, compliance status information is immediately available to you. You can view the compliance status in the console or in response to AWS CLI commands or corresponding Systems Manager API actions. For associations, Configuration Compliance shows the compliance status (Compliant or Non-compliant). It also shows the severity level assigned to the association, such as Critical or Medium.

To learn more about State Manager association compliance, see About State Manager association compliance in the AWS Systems Manager User Guide.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-2
  • PCI-DSS v3.2.1: 6.2

Checks the status of AWS Systems Manager patch compliance

  • Real-time scans: No

Ec2 Metadata Service Allows Imdsv2

Category name in the API: EC2_METADATA_SERVICE_ALLOWS_IMDSV2

Finding description:

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-6
  • CIS AWS Foundation 2.0.0: 5.6
  • CIS AWS Foundation 3.0.0: 5.6

Ensure that EC2 Metadata Service only allows IMDSv2

  • Real-time scans: No

Ec2 Volume Inuse Check

Category name in the API: EC2_VOLUME_INUSE_CHECK

Finding description:

Identifying and removing unattached (unused) Elastic Block Store (EBS) volumes in your AWS account in order to lower the cost of your monthly AWS bill. Deleting unused EBS volumes also reduces the risk of confidential/sensitive data leaving your premise. Additionally, this control also checks whether EC2 instances archived configured to delete volumes on termination.

By default, EC2 instances are configured to delete the data in any EBS volumes associated with the instance, and to delete the root EBS volume of the instance. However, any non-root EBS volumes attached to the instance, at launch or during execution, get persisted after termination by default.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: CM-2

Checks whether EBS volumes are attached to EC2 instances and configured for deletion on instance termination

  • Real-time scans: No

Efs Encrypted Check

Category name in the API: EFS_ENCRYPTED_CHECK

Finding description:

Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. This checks that all EFS file systems are configured with encryption-at-rest across all enabled regions in the account.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)
  • PCI-DSS v3.2.1: 8.2.1

Checks whether EFS is configured to encrypt file data using KMS

  • Real-time scans: No

Efs In Backup Plan

Category name in the API: EFS_IN_BACKUP_PLAN

Finding description:

Amazon best practices recommend configuring backups for your Elastic File Systems (EFS). This checks all EFS across every enabled region in your AWS account for enabled backups.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

Checks whether EFS filesystems are included in AWS Backup plans

  • Real-time scans: No

Elb Acm Certificate Required

Category name in the API: ELB_ACM_CERTIFICATE_REQUIRED

Finding description:

Checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM.

To create a certificate, you can use either ACM or a tool that supports the SSL and TLS protocols, such as OpenSSL. Security Hub recommends that you use ACM to create or import certificates for your load balancer.

ACM integrates with Classic Load Balancers so that you can deploy the certificate on your load balancer. You also should automatically renew these certificates.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-17, AC-4, IA-5, SC-12, SC-13, SC-23, SC-7, SC-8, SI-7, SI-7(6)

Checks that all Classic Load Balancers use SSL certificates provided by AWS Certificate Manager

  • Real-time scans: No

Elb Deletion Protection Enabled

Category name in the API: ELB_DELETION_PROTECTION_ENABLED

Finding description:

Checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.

Enable deletion protection to protect your Application Load Balancer from deletion.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-5(2)

Application Load Balancer deletion protection should be enabled

  • Real-time scans: No

Elb Logging Enabled

Category name in the API: ELB_LOGGING_ENABLED

Finding description:

This checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.

To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(8)
  • PCI-DSS v3.2.1: 10.3.1

Checks whether classic and application load balancers have logging enabled

  • Real-time scans: No

Elb Tls Https Listeners Only

Category name in the API: ELB_TLS_HTTPS_LISTENERS_ONLY

Finding description:

This check ensures all Classic Load Balancers are configured to use secure communication.

A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections and a protocol and a port for back-end (load balancer to instance) connections. For information about the ports, protocols, and listener configurations supported by Elastic Load Balancing, see Listeners for your Classic Load Balancer.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)

Checks that all Classic Load Balancer are configured with SSL or HTTPS listeners

  • Real-time scans: No

Encrypted Volumes

Category name in the API: ENCRYPTED_VOLUMES

Finding description:

Checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.

For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses KMS keys when creating encrypted volumes and snapshots.

To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)
  • PCI-DSS v3.2.1: 8.2.1

Attached Amazon EBS volumes should be encrypted at-rest

  • Real-time scans: No

Encryption At Rest Enabled Rds Instances

Category name in the API: ENCRYPTION_AT_REST_ENABLED_RDS_INSTANCES

Finding description:

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SC-28, SI-7(6)
  • PCI-DSS v3.2.1: 8.2.1
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS AWS Foundation 2.0.0: 2.3.1
  • CIS AWS Foundation 3.0.0: 2.3.1
  • CIS Controls 8.0: 3.11

Ensure that encryption-at-rest is enabled for RDS Instances

  • Real-time scans: No

Encryption Enabled Efs File Systems

Category name in the API: ENCRYPTION_ENABLED_EFS_FILE_SYSTEMS

Finding description:

EFS data should be encrypted at rest using AWS KMS (Key Management Service).

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS AWS Foundation 2.0.0: 2.4.1
  • CIS AWS Foundation 3.0.0: 2.4.1
  • CIS Controls 8.0: 3.11

Ensure that encryption is enabled for EFS file systems

  • Real-time scans: No

Iam Password Policy

Category name in the API: IAM_PASSWORD_POLICY

Finding description:

AWS allows for custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy. AWS security best practices recommends the following password complexity requirements:

  • Require at least one uppercase character in password.
  • Require at least one lowercase character in passwords.
  • Require at least one symbol in passwords.
  • Require at least one number in passwords.
  • Require a minimum password length of at least 14 characters.
  • Require at least 24 passwords before allowing reuse.
  • Require at least 90 before password expiration

This controls checks all of the specified password policy requirements.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5(1)
  • PCI-DSS v3.2.1: 8.2.5

Checks whether the account password policy for IAM users meets the specified requirements

  • Real-time scans: No

Iam Password Policy Prevents Password Reuse

Category name in the API: IAM_PASSWORD_POLICY_PREVENTS_PASSWORD_REUSE

Finding description:

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5
  • PCI-DSS v4.0: 2.2.2, 8.3.5, 8.3.6, 8.6.3
  • ISO-27001 v2022: A.5.17
  • Cloud Controls Matrix 4: IAM-02
  • SOC2 v2017: CC6.1.3, CC6.1.8, CC6.1.9
  • CIS AWS Foundation 2.0.0: 1.9
  • CIS AWS Foundation 3.0.0: 1.9
  • CIS Controls 8.0: 5.2

Ensure IAM password policy prevents password reuse

  • Real-time scans: No

Iam Password Policy Requires Minimum Length 14 Greater

Category name in the API: IAM_PASSWORD_POLICY_REQUIRES_MINIMUM_LENGTH_14_GREATER

Finding description:

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • CIS AWS Foundation 2.0.0: 1.8
  • CIS AWS Foundation 3.0.0: 1.8
  • CIS Controls 8.0: 5, 5.2

Ensure IAM password policy requires minimum length of 14 or greater

  • Real-time scans: No

Iam Policies Allow Full Administrative Privileges Attached

Category name in the API: IAM_POLICIES_ALLOW_FULL_ADMINISTRATIVE_PRIVILEGES_ATTACHED

Finding description:

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 1.16
  • CIS AWS Foundation 3.0.0: 1.16
  • CIS Controls 8.0: 3.3

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

  • Real-time scans: No

Iam Users Receive Permissions Groups

Category name in the API: IAM_USERS_RECEIVE_PERMISSIONS_GROUPS

Finding description:

IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy.

Only the third implementation is recommended.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-2, AC-5, AC-6, AU-9
  • PCI-DSS v4.0: 10.3.1, 7.1.1, 7.2.1, 7.2.2, 7.2.4, 7.2.6, 7.3.1, 7.3.2
  • ISO-27001 v2022: A.5.15, A.5.3, A.8.2, A.8.3
  • Cloud Controls Matrix 4: IAM-04
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.3.1, CC6.3.2, CC6.3.3
  • HIPAA: 164.308(a)(3)(ii), 164.308(a)(4)(i), 164.308(a)(4)(ii)
  • CIS AWS Foundation 2.0.0: 1.15
  • CIS AWS Foundation 3.0.0: 1.15
  • CIS Controls 8.0: 6.8

Ensure IAM Users Receive Permissions Only Through Groups

  • Real-time scans: No

Iam User Group Membership Check

Category name in the API: IAM_USER_GROUP_MEMBERSHIP_CHECK

Finding description:

IAM users should always be part of an IAM group in order to adhere to IAM security best practices.

By adding users to a group, it is possible to share policies among types of users.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-6

Checks whether IAM users are members of at least one IAM group

  • Real-time scans: No

Iam User Mfa Enabled

Category name in the API: IAM_USER_MFA_ENABLED

Finding description:

Multi-factor authentication (MFA) is a best practice that adds an extra layer of protection on top of user names and passwords. With MFA, when a user signs in to the AWS Management Console, they are required to provide a time-sensitive authentication code, provided by a registered virtual or physical device.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • PCI-DSS v3.2.1: 8.3.2

Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled

  • Real-time scans: No

Iam User Unused Credentials Check

Category name in the API: IAM_USER_UNUSED_CREDENTIALS_CHECK

Finding description:

This checks for any IAM passwords or active access keys that have not been used in the last 90 days.

Best practices recommends that you remove, deactivate or rotate all credentials unused for 90 days or more. This reduces the window of opportunity for credentials associated to a compromised or abandoned account to be used.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-6
  • PCI-DSS v3.2.1: 8.1.4

Checks that all AWS IAM users have passwords or active access keys that have not been used in maxCredentialUsageAge days (default 90)

  • Real-time scans: No

Kms Cmk Not Scheduled For Deletion

Category name in the API: KMS_CMK_NOT_SCHEDULED_FOR_DELETION

Finding description:

This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.

KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.

When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.

For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-12

Checks that all CMKs are not scheduled for deletion

  • Real-time scans: No

Lambda Concurrency Check

Category name in the API: LAMBDA_CONCURRENCY_CHECK

Finding description:

Checks if the Lambda function is configured with a function-level concurrent execution limit. The rule is NON_COMPLIANT if the Lambda function is not configured with a function-level concurrent execution limit.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks whether Lambda functions are configured with function-level concurrent execution limit

  • Real-time scans: No

Lambda Dlq Check

Category name in the API: LAMBDA_DLQ_CHECK

Finding description:

Checks if a Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-2

Checks whether Lambda functions are configured with a dead letter queue

  • Real-time scans: No

Lambda Function Public Access Prohibited

Category name in the API: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

Finding description:

AWS best practices recommend that Lambda function should not be publicly exposed. This policy checks all Lambda functions deployed across all enabled regions within your account and will fail if they are configured ot allow public access.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Checks whether the policy attached to the Lambda function prohibits public access

  • Real-time scans: No

Lambda Inside Vpc

Category name in the API: LAMBDA_INSIDE_VPC

Finding description:

Checks whether a Lambda function is in a VPC. You might see failed findings for Lambda@Edge resources.

It does not evaluate the VPC subnet routing configuration to determine public reachability.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Checks whether the Lambda functions exists within a VPC

  • Real-time scans: No

Mfa Delete Enabled S3 Buckets

Category name in the API: MFA_DELETE_ENABLED_S3_BUCKETS

Finding description:

Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 2.1.2
  • CIS AWS Foundation 3.0.0: 2.1.2
  • CIS Controls 8.0: 3.3, 6.5

Ensure MFA Delete is enabled on S3 buckets

  • Real-time scans: No

Mfa Enabled Root User Account

Category name in the API: MFA_ENABLED_ROOT_USER_ACCOUNT

Finding description:

The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.

Note: When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-2, IA-2(8)
  • PCI-DSS v3.2.1: 8.3.2
  • PCI-DSS v4.0: 2.2.7, 8.4.1
  • ISO-27001 v2022: A.8.2
  • Cloud Controls Matrix 4: IAM-10
  • NIST Cybersecurity Framework 1.0: PR-AC-7
  • SOC2 v2017: CC6.1.3, CC6.1.4, CC6.1.6, CC6.1.7, CC6.1.8
  • CIS AWS Foundation 2.0.0: 1.5
  • CIS AWS Foundation 3.0.0: 1.5
  • CIS Controls 8.0: 6.5

Ensure MFA is enabled for the 'root' user account

  • Real-time scans: No

Multi Factor Authentication Mfa Enabled All Iam Users Console

Category name in the API: MULTI_FACTOR_AUTHENTICATION_MFA_ENABLED_ALL_IAM_USERS_CONSOLE

Finding description:

Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-2, IA-2(8)
  • PCI-DSS v3.2.1: 8.3.2
  • PCI-DSS v4.0: 2.2.7, 8.4.1
  • ISO-27001 v2022: A.8.2
  • Cloud Controls Matrix 4: IAM-10
  • NIST Cybersecurity Framework 1.0: PR-AC-7
  • SOC2 v2017: CC6.1.3, CC6.1.4, CC6.1.6, CC6.1.7, CC6.1.8
  • CIS AWS Foundation 2.0.0: 1.10
  • CIS Controls 8.0: 6.5

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

  • Real-time scans: No

No Network Acls Allow Ingress 0 0 0 0 Remote Server Administration

Category name in the API: NO_NETWORK_ACLS_ALLOW_INGRESS_0_0_0_0_REMOTE_SERVER_ADMINISTRATION

Finding description:

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17) or ALL (-1) protocols

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • CIS AWS Foundation 2.0.0: 5.1
  • CIS AWS Foundation 3.0.0: 5.1

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

  • Real-time scans: No

No Root User Account Access Key Exists

Category name in the API: NO_ROOT_USER_ACCOUNT_ACCESS_KEY_EXISTS

Finding description:

The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2
  • PCI-DSS v3.2.1: 8.1.1
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 1.4
  • CIS AWS Foundation 3.0.0: 1.4
  • CIS Controls 8.0: 3.3, 5.4

Ensure no 'root' user account access key exists

  • Real-time scans: No

No Security Groups Allow Ingress 0 0 0 0 Remote Server Administration

Category name in the API: NO_SECURITY_GROUPS_ALLOW_INGRESS_0_0_0_0_REMOTE_SERVER_ADMINISTRATION

Finding description:

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17) or ALL (-1) protocols

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • CIS AWS Foundation 2.0.0: 5.2
  • CIS AWS Foundation 3.0.0: 5.2

Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

  • Real-time scans: No

No Security Groups Allow Ingress 0 Remote Server Administration

Category name in the API: NO_SECURITY_GROUPS_ALLOW_INGRESS_0_REMOTE_SERVER_ADMINISTRATION

Finding description:

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • CIS AWS Foundation 2.0.0: 5.3
  • CIS AWS Foundation 3.0.0: 5.3

Ensure no security groups allow ingress from ::/0 to remote server administration ports

  • Real-time scans: No

One Active Access Key Available Any Single Iam User

Category name in the API: ONE_ACTIVE_ACCESS_KEY_AVAILABLE_ANY_SINGLE_IAM_USER

Finding description:

Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • CIS AWS Foundation 2.0.0: 1.13
  • CIS AWS Foundation 3.0.0: 1.13
  • CIS Controls 8.0: 5

Ensure there is only one active access key available for any single IAM user

  • Real-time scans: No

Public Access Given Rds Instance

Category name in the API: PUBLIC_ACCESS_GIVEN_RDS_INSTANCE

Finding description:

Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2, SC-7
  • PCI-DSS v3.2.1: 2.2.2
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 2.3.3
  • CIS AWS Foundation 3.0.0: 2.3.3
  • CIS Controls 8.0: 3.3

Ensure that public access is not given to RDS Instance

  • Real-time scans: No

Rds Enhanced Monitoring Enabled

Category name in the API: RDS_ENHANCED_MONITORING_ENABLED

Finding description:

Enhanced monitoring provides real-time metrics on the operating system that the RDS instance runs on, via an agent installed in the instance.

For more details, see Monitoring OS metrics with Enhanced Monitoring.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-2

Checks whether enhanced monitoring is enabled for all RDS DB instances

  • Real-time scans: No

Rds Instance Deletion Protection Enabled

Category name in the API: RDS_INSTANCE_DELETION_PROTECTION_ENABLED

Finding description:

Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.

While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

Checks if all RDS instances have deletion protection enabled

  • Real-time scans: No

Rds In Backup Plan

Category name in the API: RDS_IN_BACKUP_PLAN

Finding description:

This check evaluates if Amazon RDS DB instances are covered by a backup plan. This control fails if an RDS DB instance isn't covered by a backup plan.

AWS Backup is a fully managed backup service that centralizes and automates the backing up of data across AWS services. With AWS Backup, you can create backup policies called backup plans. You can use these plans to define your backup requirements, such as how frequently to back up your data and how long to retain those backups. Including RDS DB instances in a backup plan helps you protect your data from unintended loss or deletion.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

RDS DB instances should be covered by a backup plan

  • Real-time scans: No

Rds Logging Enabled

Category name in the API: RDS_LOGGING_ENABLED

Finding description:

This checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch.

RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(8)

Checks if exported logs are enabled for all RDS DB instances

  • Real-time scans: No

Rds Multi Az Support

Category name in the API: RDS_MULTI_AZ_SUPPORT

Finding description:

RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

Checks whether high availability is enabled for all RDS DB instances

  • Real-time scans: No

Redshift Cluster Configuration Check

Category name in the API: REDSHIFT_CLUSTER_CONFIGURATION_CHECK

Finding description:

This checks for essential elements of a Redshift cluster: encryption at rest, logging and node type.

These configuration items are important in the maintenance of a secure and observable Redshift cluster.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(8)
  • PCI-DSS v3.2.1: 10.3.1

Checks that all Redshift clusters have encryption at rest, logging and node type.

  • Real-time scans: No

Redshift Cluster Maintenancesettings Check

Category name in the API: REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK

Finding description:

Automatic major version upgrades happen according to the maintenance window

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-2

Checks that all Redshift clusters have allowVersionUpgrade enabled and preferredMaintenanceWindow and automatedSnapshotRetentionPeriod set

  • Real-time scans: No

Redshift Cluster Public Access Check

Category name in the API: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

Finding description:

The PubliclyAccessible attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with PubliclyAccessible set to true, it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address.

When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with PubliclyAccessible set to true.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Checks whether Redshift clusters are publicly accessible

  • Real-time scans: No

Restricted Common Ports

Category name in the API: RESTRICTED_COMMON_PORTS

Finding description:

This checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control fails if any of the rules in a security group allow ingress traffic from '0.0.0.0/0' or '::/0' for those ports.

Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:

  • 20, 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (SMTP)
  • 110 (POP3)
  • 135 (RPC)
  • 143 (IMAP)
  • 445 (CIFS)
  • 1433, 1434 (MSSQL)
  • 3000 (Go, Node.js, and Ruby web development frameworks)
  • 3306 (mySQL)
  • 3389 (RDP)
  • 4333 (ahsp)
  • 5000 (Python web development frameworks)
  • 5432 (postgresql)
  • 5500 (fcp-addr-srvr1)
  • 5601 (OpenSearch Dashboards)
  • 8080 (proxy)
  • 8088 (legacy HTTP port)
  • 8888 (alternative HTTP port)
  • 9200 or 9300 (OpenSearch)

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Security groups should not allow unrestricted access to ports with high risk

  • Real-time scans: No

Restricted Ssh

Category name in the API: RESTRICTED_SSH

Finding description:

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources.

CIS recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Security groups should not allow ingress from 0.0.0.0/0 to port 22

  • Real-time scans: No

Rotation Customer Created Cmks Enabled

Category name in the API: ROTATION_CUSTOMER_CREATED_CMKS_ENABLED

Finding description:

Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON_COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Ensure rotation for customer created CMKs is enabled

  • Real-time scans: No

Rotation Customer Created Symmetric Cmks Enabled

Category name in the API: ROTATION_CUSTOMER_CREATED_SYMMETRIC_CMKS_ENABLED

Finding description:

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: IA-5, SC-28
  • PCI-DSS v4.0: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2
  • ISO-27001 v2022: A.5.33
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-1
  • SOC2 v2017: CC6.1.10, CC6.1.3
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
  • CIS AWS Foundation 2.0.0: 3.8
  • CIS AWS Foundation 3.0.0: 3.6
  • CIS Controls 8.0: 3.11

Ensure rotation for customer created symmetric CMKs is enabled

  • Real-time scans: No

Routing Tables Vpc Peering Are Least Access

Category name in the API: ROUTING_TABLES_VPC_PEERING_ARE_LEAST_ACCESS

Finding description:

Checks if route tables for VPC peering are configure with the principal of least privileged.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Ensure routing tables for VPC peering are "least access"

  • Real-time scans: No

S3 Account Level Public Access Blocks

Category name in the API: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS

Finding description:

Amazon S3 Block Public Access provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects do not allow public access.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

This finding category is not mapped to any compliance standard controls.

Checks if the required S3 public access block settings are configured from account level

  • Real-time scans: No

S3 Buckets Configured Block Public Access Bucket And Account Settings

Category name in the API: S3_BUCKETS_CONFIGURED_BLOCK_PUBLIC_ACCESS_BUCKET_AND_ACCOUNT_SETTINGS

Finding description:

Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an AWS IAM principal with sufficient S3 permissions can enable public access at the bucket or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3, AC-5, AC-6, MP-2, SC-7
  • PCI-DSS v4.0: 1.3.1
  • ISO-27001 v2022: A.5.10, A.5.15, A.8.3, A.8.4
  • Cloud Controls Matrix 4: DSP-17
  • NIST Cybersecurity Framework 1.0: PR-AC-4
  • SOC2 v2017: CC5.2.3, CC6.1.3, CC6.1.7
  • HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii), 164.312(a)(1)
  • CIS AWS Foundation 2.0.0: 2.1.4
  • CIS Controls 8.0: 3.3

Ensure that S3 buckets are configured with Block public access (bucket settings).

  • Real-time scans: No

S3 Bucket Access Logging Enabled Cloudtrail S3 Bucket

Category name in the API: S3_BUCKET_ACCESS_LOGGING_ENABLED_CLOUDTRAIL_S3_BUCKET

Finding description:

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-6, AU-12, AU-2
  • PCI-DSS v4.0: 10.2.1, 10.2.1.1
  • ISO-27001 v2022: A.8.15
  • Cloud Controls Matrix 4: DSP-17
  • SOC2 v2017: CC6.1.1, CC6.1.10, CC6.1.11, CC6.1.12, CC6.1.13, CC6.1.2, CC6.1.3, CC6.1.4, CC6.1.5, CC6.1.6, CC6.1.7, CC6.1.8, CC6.1.9
  • HIPAA: 164.312(b), 164.312(c)(1), 164.312(c)(2)
  • CIS AWS Foundation 2.0.0: 3.6
  • CIS AWS Foundation 3.0.0: 3.4
  • CIS Controls 8.0: 3.14, 8.2

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

  • Real-time scans: No

S3 Bucket Logging Enabled

Category name in the API: S3_BUCKET_LOGGING_ENABLED

Finding description:

AWS S3 Server Access Logging feature records access requests to storage buckets which is useful for security audits. By default, server access logging is not enabled for S3 buckets.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(8)
  • PCI-DSS v3.2.1: 10.3.1

Checks if logging is enabled on all S3 buckets

  • Real-time scans: No

S3 Bucket Policy Set Deny Http Requests

Category name in the API: S3_BUCKET_POLICY_SET_DENY_HTTP_REQUESTS

Finding description:

At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-17, IA-5, SC-8
  • PCI-DSS v4.0: 2.2.7, 4.1.1, 4.2.1, 4.2.1.2, 4.2.2, 8.3.2
  • ISO-27001 v2022: A.5.14
  • Cloud Controls Matrix 4: CEK-03
  • NIST Cybersecurity Framework 1.0: PR-DS-2
  • SOC2 v2017: CC6.1.11, CC6.1.3, CC6.1.8, CC6.7.2
  • HIPAA: 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii)
  • CIS AWS Foundation 2.0.0: 2.1.1
  • CIS AWS Foundation 3.0.0: 2.1.1
  • CIS Controls 8.0: 3.10

Ensure S3 Bucket Policy is set to deny HTTP requests

  • Real-time scans: No

S3 Bucket Replication Enabled

Category name in the API: S3_BUCKET_REPLICATION_ENABLED

Finding description:

This control checks whether an Amazon S3 bucket has Cross-Region Replication enabled. The control fails if the bucket doesn't have Cross-Region Replication enabled or if Same-Region Replication is also enabled.

Replication is the automatic, asynchronous copying of objects across buckets in the same or different AWS Regions. Replication copies newly created objects and object updates from a source bucket to a destination bucket or buckets. AWS best practices recommend replication for source and destination buckets that are owned by the same AWS account. In addition to availability, you should consider other systems hardening settings.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

Checks whether S3 buckets have cross-region replication enabled

  • Real-time scans: No

S3 Bucket Server Side Encryption Enabled

Category name in the API: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED

Finding description:

This checks that your S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)
  • PCI-DSS v3.2.1: 10.5.2

Ensure all S3 buckets employ encryption-at-rest

  • Real-time scans: No

S3 Bucket Versioning Enabled

Category name in the API: S3_BUCKET_VERSIONING_ENABLED

Finding description:

Amazon S3 is a means of keeping multiple variants of an object in the same bucket and can help you to recover more easily from both unintended user actions and application failures.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)
  • PCI-DSS v3.2.1: 10.5.5

Checks that versioning is enabled for all S3 buckets

  • Real-time scans: No

S3 Default Encryption Kms

Category name in the API: S3_DEFAULT_ENCRYPTION_KMS

Finding description:

Checks whether the Amazon S3 buckets are encrypted with AWS Key Management Service (AWS KMS)

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)

Checks that all buckets are encrypted with KMS

  • Real-time scans: No

Sagemaker Notebook Instance Kms Key Configured

Category name in the API: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED

Finding description:

Checks if an AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if 'KmsKeyId' is not specified for the SageMaker notebook instance.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)
  • PCI-DSS v3.2.1: 8.2.1

Checks that all SageMaker notebook instances are configured to use KMS

  • Real-time scans: No

Sagemaker Notebook No Direct Internet Access

Category name in the API: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS

Finding description:

Checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the DirectInternetAccess field is disabled for the notebook instance.

If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable—Access the internet through a VPC.

To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. To learn more about how to connect a notebook instance to resources in a VPC, see Connect a notebook instance to resources in a VPC in the Amazon SageMaker Developer Guide.

You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Checks whether direct internet access is disabled for all Amazon SageMaker notebook instance

  • Real-time scans: No

Secretsmanager Rotation Enabled Check

Category name in the API: SECRETSMANAGER_ROTATION_ENABLED_CHECK

Finding description:

Checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. The control fails if the secret isn't configured with automatic rotation. If you provide a custom value for the maximumAllowedRotationFrequency parameter, the control passes only if the secret is automatically rotated within the specified window of time.

Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.

Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: AC-3(15)
  • PCI-DSS v3.2.1: 8.2.4

Checks that all AWS Secrets Manager secrets have rotation enabled

  • Real-time scans: No

Sns Encrypted Kms

Category name in the API: SNS_ENCRYPTED_KMS

Finding description:

Checks whether an SNS topic is encrypted at rest using AWS KMS. The controls fails if an SNS topic doesn't use a KMS key for server-side encryption (SSE).

Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-7(6)

Checks that all SNS topics are encrypted with KMS

  • Real-time scans: No

Vpc Default Security Group Closed

Category name in the API: VPC_DEFAULT_SECURITY_GROUP_CLOSED

Finding description:

This control checks whether the default security group of a VPC allows inbound or outbound traffic. The control fails if the security group allows inbound or outbound traffic.

The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We recommend that you don't use the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2
  • CIS AWS Foundation 3.0.0: 4.14

Ensure the default security group of every VPC restricts all traffic

  • Real-time scans: No

Vpc Flow Logging Enabled All Vpcs

Category name in the API: VPC_FLOW_LOGGING_ENABLED_ALL_VPCS

Finding description:

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-4, SI-7(8)
  • PCI-DSS v3.2.1: 10.3.1
  • ISO-27001 v2022: A.8.15, A.8.16
  • Cloud Controls Matrix 4: IVS-03
  • NIST Cybersecurity Framework 1.0: DE-CM-1
  • SOC2 v2017: CC7.2.1, CC7.2.2, CC7.2.3, CC7.2.4
  • CIS AWS Foundation 2.0.0: 3.9
  • CIS AWS Foundation 3.0.0: 3.7
  • CIS Controls 8.0: 13.6, 8.2

Ensure VPC flow logging is enabled in all VPCs

  • Real-time scans: No

Vpc Sg Open Only To Authorized Ports

Category name in the API: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS

Finding description:

This control checks whether an Amazon EC2 security group permits unrestricted incoming traffic from unauthorized ports. The control status is determined as follows:

If you use the default value for authorizedTcpPorts, the control fails if the security group permits unrestricted incoming traffic from any port other than ports 80 and 443.

If you provide custom values for authorizedTcpPorts or authorizedUdpPorts, the control fails if the security group permits unrestricted incoming traffic from any unlisted port.

If no parameter is used, the control fails for any security group that has an unrestricted inbound traffic rule.

Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data. Unless a port is specifically allowed, the port should deny unrestricted access.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SC-7
  • PCI-DSS v3.2.1: 2.2.2

Checks that any security group with 0.0.0.0/0 of any VPC allows only specific inbound TCP/UDP traffic

  • Real-time scans: No

Both VPC VPN Tunnels Up

Category name in the API: VPC_VPN_2_TUNNELS_UP

Finding description:

A VPN tunnel is an encrypted link where data can pass from the customer network to or from AWS within an AWS Site-to-Site VPN connection. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. Ensuring that both VPN tunnels are up for a VPN connection is important for confirming a secure and highly available connection between an AWS VPC and your remote network.

This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The control fails if one or both tunnels are in DOWN status.

Pricing tier: Enterprise

Fix this finding

Compliance standards:

  • NIST 800-53 R5: SI-13(5)

Checks that both AWS VPN tunnels provided by AWS site-to-site are in UP status

  • Real-time scans: No

Web Security Scanner findings

Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

Category Finding description OWASP 2017 Top 10 OWASP 2021 Top 10

Accessible Git repository

Category name in the API: ACCESSIBLE_GIT_REPOSITORY

A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository.

Pricing tier: Premium or Standard

Fix this finding

A5 A01

Accessible SVN repository

Category name in the API: ACCESSIBLE_SVN_REPOSITORY

An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository.

Pricing tier: Premium or Standard

Fix this finding

A5 A01

Cacheable password input

Category name in the API: CACHEABLE_PASSWORD_INPUT

Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.

Pricing tier: Premium

Fix this finding

A3 A04

Clear text password

Category name in the API: CLEAR_TEXT_PASSWORD

Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network.

Pricing tier: Premium or Standard

Fix this finding

A3 A02

Insecure allow origin ends with validation

Category name in the API: INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION

A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith(".google.com").

Pricing tier: Premium

Fix this finding

A5 A01

Insecure allow origin starts with validation

Category name in the API: INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION

A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals(".google.com").

Pricing tier: Premium

Fix this finding

A5 A01

Invalid content type

Category name in the API: INVALID_CONTENT_TYPE

A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value.

Pricing tier: Premium or Standard

Fix this finding

A6 A05

Invalid header

Category name in the API: INVALID_HEADER

A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Premium or Standard

Fix this finding

A6 A05

Mismatching security header values

Category name in the API: MISMATCHING_SECURITY_HEADER_VALUES

A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Premium or Standard

Fix this finding

A6 A05

Misspelled security header name

Category name in the API: MISSPELLED_SECURITY_HEADER_NAME

A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly.

Pricing tier: Premium or Standard

Fix this finding

A6 A05

Mixed content

Category name in the API: MIXED_CONTENT

Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS.

Pricing tier: Premium or Standard

Fix this finding

A6 A05

Outdated library

Category name in the API: OUTDATED_LIBRARY

A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version.

Pricing tier: Premium or Standard

Fix this finding

A9 A06

Server side request forgery

Category name in the API: SERVER_SIDE_REQUEST_FORGERY

A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to.

Pricing tier: Premium or Standard

Fix this finding

Not applicable A10

Session ID leak

Category name in the API: SESSION_ID_LEAK

When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user.

Pricing tier: Premium

Fix this finding

A2 A07

SQL injection

Category name in the API: SQL_INJECTION

A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query.

Pricing tier: Premium

Fix this finding

A1 A03

Struts insecure deserialization

Category name in the API: STRUTS_INSECURE_DESERIALIZATION

The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.

Pricing tier: Premium

Fix this finding

A8 A08

XSS

Category name in the API: XSS

A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data.

Pricing tier: Premium or Standard

Fix this finding

A7 A03

XSS angular callback

Category name in the API: XSS_ANGULAR_CALLBACK

A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework.

Pricing tier: Premium or Standard

Fix this finding

A7 A03

XSS error

Category name in the API: XSS_ERROR

A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data.

Pricing tier: Premium or Standard

Fix this finding

A7 A03

XXE reflected file leakage

Category name in the API: XXE_REFLECTED_FILE_LEAKAGE

An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities.

Pricing tier: Premium

Fix this finding

A4 A05

Prototype pollution

Category name in the API: PROTOTYPE_POLLUTION

The application is vulnerable to prototype pollution. This vulnerability arises when properties of the Object.prototype object can be assigned attacker-controllable values. Values planted on these prototypes are universally assumed to translate into cross-site scripting, or similar client-side vulnerabilities, as well as logic bugs.

Pricing tier: Premium or Standard

Fix this finding

A1 A03

IAM recommender findings

The following table lists the Security Command Center findings that are generated by IAM recommender.

Each IAM recommender finding contains specific recommendations to remove or replace a role that includes excessive permissions from a principal in your Google Cloud environment.

The findings that are generated by IAM recommender correspond recommendations that appear in the Google Cloud console on the IAM page of the affected project, folder, or organization.

For more information about the integration of IAM recommender with Security Command Center, see Security sources.

Detector Summary

IAM role has excessive permissions

Category name in the API: IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS

Finding description: IAM recommender detected a service account that has one or more IAM roles that give excessive permissions to the user account.

Pricing tier: Premium

Supported assets:

Fix this finding :

Use IAM recommender to apply the recommended fix for this finding by following these steps:

  1. In the Next steps section of the finding details in the Google Cloud console, copy and paste the URL for the IAM page into a browser address bar and press Enter. The IAM page loads.
  2. Near the top of the IAM page on the right side, click View recommendations in table. The recommendations are displayed in a table.
  3. In the Security insights column, click any recommendation that relates to excess permissions. The recommendation details panel opens.
  4. Review the recommendation for the actions that you can take to resolve the issue.
  5. Click Apply.

After the issue is fixed, IAM recommender updates the status of the finding to INACTIVE within 10 days.

Service agent role replaced with basic role

Category name in the API: SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE

Finding description: IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents.

Pricing tier: Premium

Supported assets:

Fix this finding :

Use IAM recommender to apply the recommended fix for this finding by following these steps:

  1. In the Next steps section of the finding details in the Google Cloud console, copy and paste the URL for the IAM page into a browser address bar and press Enter. The IAM page loads.
  2. Near the top of the IAM page on the right side, click View recommendations in table. The recommendations are displayed in a table.
  3. In the Security insights column, click any permission that relates to excess permissions. The recommendation details panel opens.
  4. Review the excess permissions.
  5. Click Apply.

After the issue is fixed, IAM recommender updates the status of the finding to INACTIVE within 10 days.

Service agent granted basic role

Category name in the API: SERVICE_AGENT_GRANTED_BASIC_ROLE

Finding description: IAM recommender detected IAM that a service agent was granted one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents.

Pricing tier: Premium

Supported assets:

Fix this finding :

Use IAM recommender to apply the recommended fix for this finding by following these steps:

  1. In the Next steps section of the finding details in the Google Cloud console, copy and paste the URL for the IAM page into a browser address bar and press Enter. The IAM page loads.
  2. Near the top of the IAM page on the right side, click View recommendations in table. The recommendations are displayed in a table.
  3. In the Security insights column, click any permission that relates to excess permissions. The recommendation details panel opens.
  4. Review the excess permissions.
  5. Click Apply.

After the issue is fixed, IAM recommender updates the status of the finding to INACTIVE within 10 days.

Unused IAM role

Category name in the API: UNUSED_IAM_ROLE

Finding description: IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days.

Pricing tier: Premium

Supported assets:

Fix this finding :

Use IAM recommender to apply the recommended fix for this finding by following these steps:

  1. In the Next steps section of the finding details in the Google Cloud console, copy and paste the URL for the IAM page into a browser address bar and press Enter. The IAM page loads.
  2. Near the top of the IAM page on the right side, click View recommendations in table. The recommendations are displayed in a table.
  3. In the Security insights column, click any permission that relates to excess permissions. The recommendation details panel opens.
  4. Review the excess permissions.
  5. Click Apply.

After the issue is fixed, IAM recommender updates the status of the finding to INACTIVE within 10 days.

CIEM findings

The following table lists the Security Command Center identity and access findings for AWS that are generated by Cloud Infrastructure Entitlement Management (CIEM).

CIEM findings contain specific recommendations to remove or replace highly permissive AWS IAM policies associated with assumed identities, users, or groups in your AWS environment.

For more information about CIEM, see Overview of Cloud Infrastructure Entitlement Management.

Detector Summary

Assumed identity has excessive permissions

Category name in the API: ASSUMED_IDENTITY_HAS_EXCESSIVE_PERMISSIONS

Finding description: In your AWS environment, CIEM detected an assumed IAM role that has one or more highly permissive policies that violate the principle of least privilege and increase security risks.

Pricing tier: Enterprise

Fix this finding :

Depending on the finding, use the AWS Management Console to perform one of the following remediation tasks:

  • Remove the highly permissive policy.
  • Create a new policy that has the minimum permissions required for the user, group, or role. Then attach the new policy to the user, group, or role, and remove the highly permissive policy.

Refer to the details of the finding for specific remediation steps.

Group has excessive permissions

Category name in the API: GROUP_HAS_EXCESSIVE_PERMISSIONS

Finding description: In your AWS environment, CIEM detected an AWS IAM or AWS IAM Identity Center group that has one or more highly permissive policies that violate the principle of least privilege and increase security risks.

Pricing tier: Enterprise

Fix this finding :

Depending on the finding, use the AWS Management Console to perform one of the following remediation tasks:

  • Remove the highly permissive policy.
  • Create a new policy that has the minimum permissions required for the user, group, or role. Then attach the new policy to the user, group, or role, and remove the highly permissive policy.

Refer to the details of the finding for specific remediation steps.

User has excessive permissions

Category name in the API: USER_HAS_EXCESSIVE_PERMISSIONS

Finding description: In your AWS environment, CIEM detected an AWS IAM or AWS IAM Identity Center user that has one or more highly permissive policies that violate the principle of least privilege and increase security risks.

Pricing tier: Enterprise

Fix this finding :

Depending on the finding, use the AWS Management Console to perform one of the following remediation tasks:

  • Remove the highly permissive policy.
  • Create a new policy that has the minimum permissions required for the user, group, or role. Then attach the new policy to the user, group, or role, and remove the highly permissive policy.

Refer to the details of the finding for specific remediation steps.

User is inactive

Category name in the API: INACTIVE_USER

Finding description: In your AWS environment, CIEM detected an AWS IAM or AWS IAM Identity Center user that is inactive and has one or more permissions. This violates the principle of least privilege and increases security risks.

Pricing tier: Enterprise

Fix this finding :

Depending on the finding, use the AWS Management Console to perform one of the following remediation tasks:

  • Remove the permissions attached to the AWS IAM or AWS IAM Identity Center user.
  • Delete the AWS IAM or AWS IAM Identity Centeruser if you are confident that the identity is no longer required.

Refer to the details of the finding for specific remediation steps.

Group is inactive

Category name in the API: INACTIVE_GROUP

Finding description: In your AWS environment, CIEM detected an AWS IAM or AWS IAM Identity Center group that is inactive and has one or more permissions. This violates the principle of least privilege and increases security risks.

Pricing tier: Enterprise

Fix this finding :

Depending on the finding, use the AWS Management Console to perform one of the following remediation tasks:

  • Remove the policy or policies attached to the AWS IAM group.
  • Delete some or all AWS IAM or AWS IAM Identity Center users that make up the group if you are confident that these identities are no longer required.

Refer to the details of the finding for specific remediation steps.

Assumed identity is inactive

Category name in the API: INACTIVE_ASSUMED_IDENTITY

Finding description: In your AWS environment, CIEM detected an assumed IAM role that is inactive and has one or more permissions. This violates the principle of least privilege and increases security risks.

Pricing tier: Enterprise

Fix this finding :

Depending on the finding, use the AWS Management Console to perform one of the following remediation tasks:

  • Remove the policy or policies attached to the AWS IAM role.
  • Delete the assumed identity if you are confident that the identity is no longer required.

Refer to the details of the finding for specific remediation steps.

Overly permissive trust policy enforced on assumed identity

Category name in the API: OVERLY_PERMISSIVE_TRUST_POLICY_ENFORCED_ON_ASSUMED_IDENTITY

Finding description: In your AWS environment, CIEM detected an overly permissive trust policy enforced on an AWS IAM role that violates the principle of least privilege and increases security risks.

Pricing tier: Enterprise

Fix this finding :

Use the AWS Management Console to edit the permissions in the trust policy enforced on the AWS IAM role to adhere to the principle of least privilege.

Refer to the details of the finding for specific remediation steps.

Assumed identity has lateral movement risk

Category name in the API: ASSUMED_IDENTITY_HAS_LATERAL_MOVEMENT_RISK

Finding description: In your AWS environment, CIEM detected one or more identities that can move laterally through impersonation.

Pricing tier: Enterprise

Fix this finding :

Use the AWS Management Console to remove the policy or policies attached to the identity or identities that permit lateral movement.

Refer to the details of the finding for specific remediation steps.

Security posture service findings

The following table lists the Security Command Center findings that are generated by the security posture service.

Each security posture service finding identifies an instance of drift from your defined security posture.

Finding Summary

SHA Canned Module Drifted

Category name in the API: SECURITY_POSTURE_DETECTOR_DRIFT

Finding description: The security posture service detected a change to a Security Health Analytics detector that occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the detector settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics detector or you can update the posture and posture deployment.

To revert the change, update the Security Health Analytics detector in the Google Cloud console. For instructions, see Enable and disable detectors.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

SHA Custom Module Drifted

Category name in the API: SECURITY_POSTURE_DETECTOR_DRIFT

Finding description: The security posture service detected a change to a Security Health Analytics custom module that occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the custom module settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics custom module or you can update the posture and posture deployment.

To revert the change, update the Security Health Analytics custom module in the Google Cloud console. For instructions, see Update a custom module.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

SHA Custom Module Deleted

Category name in the API: SECURITY_POSTURE_DETECTOR_DELETE

Finding description: The security posture service detected that a Security Health Analytics custom module was deleted. This deletion occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the custom module settings in your posture and your environment match. You have two options to resolve this finding: you can update the Security Health Analytics custom module or you can update the posture and posture deployment.

To revert the change, update the Security Health Analytics custom module in the Google Cloud console. For instructions, see Update a custom module.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Org Policy Canned Constraint Drifted

Category name in the API: SECURITY_POSTURE_POLICY_DRIFT

Finding description: The security posture service detected a change to an organization policy that occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the organization policy or you can update the posture and posture deployment.

To revert the change, update the organization policy in the Google Cloud console. For instructions, see Creating and editing policies.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Org Policy Canned Constraint Deleted

Category name in the API: SECURITY_POSTURE_POLICY_DELETE

Finding description: The security posture service detected that an organization policy was deleted. This deletion occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the organization policy or you can update the posture and posture deployment.

To revert the change, update the organization policy in the Google Cloud console. For instructions, see Creating and editing policies.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Org Policy Custom Constraint Drifted

Category name in the API: SECURITY_POSTURE_POLICY_DRIFT

Finding description: The security posture service detected a change to a custom organization policy that occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the custom organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the custom organization policy or you can update the posture and posture deployment.

To revert the change, update the custom organization policy in the Google Cloud console. For instructions, see Update a custom constraint.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Org Policy Custom Constraint Deleted

Category name in the API: SECURITY_POSTURE_POLICY_DELETE

Finding description: The security posture service detected that a custom organization policy was deleted. This deletion occurred outside of a posture update.

Pricing tier: Premium

Fix this finding :

This finding requires that you accept the change or revert the change so that the custom organization policy definitions in your posture and your environment match. You have two options to resolve this finding: you can update the custom organization policy or you can update the posture and posture deployment.

To revert the change, update the custom organization policy in the Google Cloud console. For instructions, see Update a custom constraint.

To accept the change, complete the following:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

The following table lists the security posture findings that identify instances of violating resources against your defined security posture.

Finding Summary

Disable VPC External IPv6

Category name in the API: DISABLE_VPC_EXTERNAL_IP_V6_ORG_POLICY

Finding description: The security posture service detected that a subnetwork has an external IPv6 address enabled.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can delete the violating resource, or you can update the posture and re-deploy the posture.

To delete the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Delete the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Disable VPC Internal IPv6

Category name in the API: DISABLE_VPC_INTERNAL_IP_V6_ORG_POLICY

Finding description: The security posture service detected that a subnetwork has an internal IPv6 address enabled.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can delete the violating resource, or you can update the posture and re-deploy the posture.

To delete the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Delete the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Require OS Login

Category name in the API: REQUIRE_OS_LOGIN_ORG_POLICY

Finding description: The security posture service detected that OS Login is disabled in a VM instance.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Edit the resource. Find the metadata section, and change the entry with key enable-oslogin to TRUE.
  5. Save the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Restrict Authorized Networks

Category name in the API: RESTRICT_AUTHORIZED_NETWORKS_ORG_POLICY

Finding description: The security posture service detected that an authorized network is added to a SQL instance.

Pricing tier: Premium

Fix this finding :

This finding requires that you fix the violation or update the posture. You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Edit the resource. Find the authorized network section under connections section, and delete all of its entries.
  5. Save the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Require VPC Connector

Category name in the API: REQUIRE_VPC_CONNECTOR_ORG_POLICY

Finding description: The security posture service detected that a VPC connector is not enabled for a Cloud Run function instance.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Click Edit.
  5. Click the Connections tab.
  6. Find the Egress settings section. In the Network menu, select an appropriate VPC connector.
  7. Click Next.
  8. Click Deploy.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Disabled Serial Port Access

Category name in the API: DISABLED_SERIAL_PORT_ACCESS_ORG_POLICY

Finding description: The security posture service detected that serial port access to a VM instance is enabled.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Edit the resource. Find the remote access section, and uncheck the Enable connecting to serial ports checkbox.
  5. Save the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Skip Default Network Creation

Category name in the API: SKIP_DEFAULT_NETWORK_CREATION_ORG_POLICY

Finding description: The security posture service detected that a default network is created.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can delete the violating resource, or you can update the posture and re-deploy the posture.

To delete the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Delete the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Allowed Ingress

Category name in the API: ALLOWED_INGRESS_ORG_POLICY

Finding description: The security posture service detected that a Cloud Run service doesn't comply with specified ingress settings.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Click the Networking tab. Change the settings to match the allowed ingress policy.
  5. Save the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Uniform Bucket Level Access

Category name in the API: UNIFORM_BUCKET_LEVEL_ACCESS_ORG_POLICY

Finding description: The security posture service detected that a bucket-level access is fine-grained instead of uniform.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Click the Permissions tab. In the Access control card, click Switch to uniform.
  5. Select uniform and save.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

Allowed VPC Egress

Category name in the API: ALLOWED_VPC_EGRESS_ORG_POLICY

Finding description: The security posture service detected that a Cloud Run service doesn't comply with specified egress settings.

Pricing tier: Premium

Fix this finding :

You have two options to resolve this finding: you can update the violating resource, or you can update the posture and re-deploy the posture.

To update the resource, complete the following steps:

  1. Open the finding summary.
  2. Check the affected resource section, and find the resource full name which is violating the posture policy.
  3. Click the resource full name to open its details.
  4. Click Edit & deploy new revision, and then click the Networking tab. Change the Traffic routing setting in the Connect to a VPC for outbound traffic section to match the allowed egress policy.
  5. Deploy the resource.

If you want to keep the resource in the same configuration, you need to update the posture. To update the posture, complete the following steps:

  1. Update the posture.yaml file with the change.
  2. Run the gcloud scc postures update command. For instructions, see Update the policy definitions in a posture.
  3. Deploy the updated posture with the new revision ID. For instructions, see Update a posture deployment.

VM Manager

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine.

If you enable VM Manager with Security Command Center Premium at the organization level, VM Manager writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in operating systems installed on VMs, including Common Vulnerabilities and Exposures (CVEs).

To use VM Manager with project-level activations of Security Command Center Premium, activate Security Command Center Standard in the parent organization.

Vulnerability reports are not available for Security Command Center Standard.

Findings simplify the process of using VM Manager's Patch Compliance feature, which is in preview. The feature lets you conduct patch management at the organization level across all of your projects.

The severity of the vulnerability findings that are received from VM Manager is always either CRITICAL or HIGH.

VM Manager findings

Vulnerabilities of this type all relate to installed operating system packages in supported Compute Engine VMs.

Detector Summary Asset scan settings

OS vulnerability

Category name in the API: OS_VULNERABILITY

Finding description: VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM.

Pricing tier: Premium

Supported assets

compute.googleapis.com/Instance

Fix this finding

VM Manager's vulnerability reports detail vulnerabilities in installed operating system packages for Compute Engine VMs, including Common Vulnerabilities and Exposures (CVEs).

For a complete list of supported operating systems, see Operating system details.

Findings appear in Security Command Center shortly after vulnerabilities are detected. Vulnerability reports in VM Manager are generated as follows:

  • When a package is installed or updated in a VM's operating system, you can expect to see Common Vulnerabilities and Exposures (CVEs) information for the VM in Security Command Center within two hours after the change.
  • When new security advisories are published for an operating system, updated CVEs are normally available within 24 hours after the operating system vendor publishes the advisory.

Review findings in the console

Google Cloud console

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In the Quick filters section, in the Source display name subsection, select VM Manager. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

Security Operations console

  1. In the Security Operations console, go to the Findings page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. In the Aggregations section, click to expand the Source Display Name subsection.
  3. Select VM Manager. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

Remediating VM Manager findings

An OS_VULNERABILITY finding indicates that VM Manager found a vulnerability in the installed operating system packages in a Compute Engine VM.

To remediate this finding, do the following:

  1. Open an OS vulnerability finding and view its JSON definition.

  2. Copy the value of the externalUri field. This value is the URI for the OS info page of the Compute Engine VM instance in which the vulnerable operating system is installed.

  3. Apply all appropriate patches for the OS that is shown in the Basic info section. For instructions on deploying patches, see Create patch jobs.

Learn about this finding type's supported assets and scan settings.

Mute VM Manager findings

You might want to hide some or all VM Manager findings in Security Command Center if they're not relevant to your security requirements.

You can hide VM Manager findings by creating a mute rule and adding query attributes specific to the VM Manager findings that you want to hide.

To create a mute rule for VM Manager by using the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

  3. Click Mute options, and then select Create mute rule.

  4. Enter a Mute rule ID. This value is required.

  5. Enter a Mute rule description that provides context for why findings are muted. This value is optional but recommended.

  6. Confirm the scope of the mute rule by checking the Parent resource value.

  7. In the Findings query field, build your query statements by clicking Add filter. Alternatively, you can type in the query statements manually.

    1. In the Select filter dialog, select Finding > Source display name > VM Manager.

    2. Click Apply.

    3. Repeat until the mute query contains all attributes that you want to hide.

    For example, if you want to hide specific CVE IDs in the VM Manager vulnerability findings, select Vulnerability > CVE ID, and then select the CVE IDs that you want to hide.

    The finding query looks similar to the following:

    Mute VM Manager findings

  8. Click Preview matching findings.

    A table displays findings that match your query.

  9. Click Save.

Sensitive Data Protection

This section describes the vulnerability findings that Sensitive Data Protection generates, what compliance standards they support, and how to remediate the findings.

Sensitive Data Protection also sends observational findings to Security Command Center. For more information about the observation findings and Sensitive Data Protection, see Sensitive Data Protection.

For information about how to view the findings, see Review Sensitive Data Protection findings in the Google Cloud console.

The Sensitive Data Protection discovery service helps you determine whether you are storing highly sensitive data that is not protected.

Category Summary

Public sensitive data

Category name in the API:

PUBLIC_SENSITIVE_DATA

Finding description: The specified resource has high-sensitivity data that can be accessed by anyone on the internet.

Supported assets:

  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket
  • Amazon S3 bucket

Remediation:

For Google Cloud data, remove allUsers and allAuthenticatedUsers from the data asset's IAM policy.

For Amazon S3 data, configure block public access settings or update the object's ACL to deny public read access.

Compliance standards: Not mapped

Secrets in environment variables

Category name in the API:

SECRETS_IN_ENVIRONMENT_VARIABLES

Finding description: There are secrets—such as passwords, authentication tokens, and Google Cloud credentials—in environment variables.

To enable this detector, see Report secrets in environment variables to Security Command Center in the Sensitive Data Protection documentation.

Supported assets:

Remediation:

For Cloud Run functions environment variables, remove the secret from the environment variable and store it in Secret Manager instead.

For Cloud Run service revision environment variables, move all traffic off of the revision, and then delete the revision.

Compliance standards:

  • CIS GCP Foundation 1.3: 1.18
  • CIS GCP Foundation 2.0: 1.18

Secrets in storage

Category name in the API:

SECRETS_IN_STORAGE

Finding description: There are secrets—such as passwords, authentication tokens, and cloud credentials—in the specified resource.

Supported assets:

  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket
  • Amazon S3 bucket

Remediation:

  1. For Google Cloud data, use Sensitive Data Protection to run a deep inspection scan of the specified resource to identify all affected resources. For Cloud SQL data, export that data to a CSV or AVRO file in a Cloud Storage bucket and run a deep inspection scan of the bucket.

    For Amazon S3 data, manually inspect the specified bucket.

  2. Remove the detected secrets.
  3. Consider resetting the credentials.
  4. For Google Cloud data, consider storing the detected secrets in Secret Manager instead.

Compliance standards: Not mapped

Policy Controller

Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters registered as fleet memberships. These policies act as guardrails and can help with best practices, security, and compliance management of your clusters and fleet.

This page doesn't list all individual Policy Controller findings, but information about the Misconfiguration class findings that Policy Controller writes to Security Command Center are the same as the cluster violations documented for each Policy Controller bundle. Documentation for the individual Policy Controller finding types is in the following Policy Controller bundles:

This capability is not compatible with VPC Service Controls service perimeters around the Stackdriver API.

Finding and remediating Policy Controller findings

The Policy Controller categories correspond to the constraint names listed in the Policy Controller bundles documentation. For example, a require-namespace-network-policies finding indicates that a namespace violates the policy that every namespace in a cluster has a NetworkPolicy.

To remediate a finding, do the following:

Google Cloud console

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In the Quick filters section, in the Source display name subsection, select Policy Controller On-Cluster. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

Security Operations console

  1. In the Security Operations console, go to the Findings page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. In the Aggregations section, click to expand the Source Display Name subsection.
  3. Select Policy Controller On-Cluster. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

What's next