Security Command Center uses predefined security graph rules to identify issues that could potentially compromise your resources.
The following table defines these rules:
| Rule | Description |
|---|---|
| GCE Instance: High-risk CVE, access to high value resource via SA impersonation | A high-risk CVE has been detected on a Compute Engine instance that can impersonate a service account (SA) with access to a critical resource. This vulnerability increases the risk of privilege escalation and unauthorized access to sensitive data or systems. |
| GCE Instance: High-risk CVE, access to resource with sensitive data via SA impersonation | A Compute Engine instance with a high-risk CVE has access to a resource containing sensitive data using service account (SA) impersonation. This vulnerability increases the risk of unauthorized data access, privilege escalation, and potential data breaches. |
| GCE Instance: High-risk CVE, direct access to high value resource | A Compute Engine instance with a high-risk CVE has direct access to a high-value resource, increasing the likelihood of exploitation, unauthorized access, and data compromise. |
| GCE Instance: High-risk CVE, direct access to resource with sensitive data | A Compute Engine instance with a high-risk CVE has direct access to a resource containing sensitive data. This vulnerability increases the risk of unauthorized access, data breaches, and privilege escalation. |
| Externally Exposed GCE Instance: High-risk CVE, exploit available | A Compute Engine instance is externally exposed and affected by a high-risk CVE with a known exploit. This significantly increases the risk of remote attacks, unauthorized access, and system compromise. |
| GCE Instance: High-risk CVE, ability to impersonate SA | A Compute Engine instance is affected by a high-risk CVE and has the ability to impersonate another service account (SA). This significantly increases the risk of privilege escalation, unauthorized access, and potential compromise of critical cloud resources. |
| GCE Instance: High-risk CVE, excessive direct permissions | A Compute Engine instance with a high-risk CVE has direct excessive permissions on another resource, increasing the risk of unauthorized access, privilege escalation, and resource compromise. |
| GCE Instance: High-risk CVE, excessive permissions via SA impersonation | A Compute Engine instance with a high-risk CVE has excessive permissions on another resource through service account (SA) impersonation, increasing the risk of privilege escalation and unauthorized access. |
| Externally Exposed GKE Workload: High-risk CVE, exploit available | A Google Kubernetes Engine (GKE) workload is externally exposed and affected by a high-risk CVE with a known exploit. This significantly increases the risk of remote attacks, unauthorized access, and system compromise. |
| GKE Node Pool: High-risk Bulletin, access to high value resource via SA impersonation | A GKE node pool has the ability to impersonate a service account (SA) that grants access to a high-value resource. This increases the risk of privilege escalation, unauthorized access, and data compromise. |
| GKE Node Pool: High-risk Bulletin, access to resource with sensitive data via SA impersonation | A GKE node pool has the ability to impersonate a service account (SA) that grants access to a resource containing sensitive data. This increases the risk of unauthorized access, data breaches, and privilege escalation. |
| GKE Node Pool: High-risk Bulletin, direct access to high value resource | A GKE node pool has direct access to a high-value resource, increasing the risk of unauthorized access, privilege escalation, and potential data compromise. |
| GKE Node Pool: High-risk Bulletin, direct access to resource with sensitive data | A GKE node pool has direct access to a resource containing sensitive data, increasing the risk of unauthorized access, data breaches, and privilege escalation. |
| Externally Exposed GKE Node Pool: High-risk Bulletin | A GKE node pool is externally exposed and affected by a high-risk CVE. This significantly increases the risk of remote attacks, unauthorized access, and system compromise. |
| GKE Node Pool: High-risk Bulletin, ability to impersonate SA | There is a high-risk bulletin on a GKE node pool that has permissions to impersonate another service account (SA), increasing the risk of privilege escalation and unauthorized access to critical resources. |
| GKE Node Pool: High-risk Bulletin, excessive direct permissions | There is a high-risk bulletin on a GKE node pool that has excessive permissions on another resource, granting it unintended access. This increases the risk of privilege escalation, unauthorized access, and data exposure. |
| GKE Node Pool: High-risk Bulletin, excessive permissions via SA impersonation | There is a high-risk bulletin on a GKE node pool that has excessive permissions on another resource through service account (SA) impersonation, increasing the risk of privilege escalation and unauthorized access. |
| Service account with unrotated key has excessive permissions | A service account is using a long-lived, unrotated key with excessive permissions, increasing the risk of credential compromise, unauthorized access, and privilege escalation. |
| Service account with user-managed key has excessive permissions | A service account with user-managed keys and excessive permissions, which increase the risk of credential leakage and privilege escalation. |