Standard-legacy, Standard, Premium, and Enterpriseservice tiers

Security Health Analytics is a managed service of Security Command Center that scansyour cloud environments for common misconfigurations that might expose youto attack.

Security Health Analytics is automatically enabled with new activations ofSecurity Command Center on the Standard-legacy, Premium, and Enterprise tiers.

Security Health Analytics features by tier

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

The Security Health Analytics features that are available to you differ depending ontheservice tier at which Security Command Centeris enabled. You can view which findings are available with which tiers atSecurity Health Analytics findings.

Standard-legacy tier features

Standard-legacyservice tier

In the Standard-legacy tier, Security Health Analytics can detect only a basicgroup of medium-severity and high-severity vulnerabilities.

Standard tier features

Standardservice tier

If the Standard tier is newly activated in your organization, meaning theorganization was not migrated from the Standard-legacy tier, Security Health Analyticsisn't available.Use the Compliance ManagerSecurity Essentials frameworkandVulnerability Assessment for Google Cloud to scan your environment formisconfigurations and vulnerabilities that might expose you to attack.

If your organization was migrated from the Standard-legacy tier to theStandard tier, the following Security Health Analytics detectors are migrated toCompliance Manager controls in theSecurity Essentials framework:

• DATAPROC_IMAGE_OUTDATED
• LEGACY_AUTHORIZATION_ENABLED
• OPEN_CISCOSECURE_WEBSM_PORT
• OPEN_DIRECTORY_SERVICES_PORT
• OPEN_FIREWALL
• OPEN_RDP_PORT
• OPEN_SSH_PORT
• OPEN_TELNET_PORT
• PUBLIC_DATASET
• PUBLIC_IP_ADDRESS
• PUBLIC_SQL_INSTANCE
• SSL_NOT_ENFORCED
• WEB_UI_ENABLED

Security Health Analytics is enabled and all detectors continue to generate findings, butfindings created by the Security Health Analytics version of the migrated detectors arelabeled with the field-value identifier:launch_state="LAUNCH_STATE_DEPRECATED"and aren't displayed in some Google Cloud console pages.

Most SHA detectors have equivalent Compliance Manager controls. Formore information, seeMapping of Security Health Analytics detectors to cloud controls.

To view findings created by the Compliance Manager version of themigrated detectors, use the following:

• Findings page
• Compliance page>Monitor tab

To view the findings generated by the Security Health Analytics version of themigrated detectors, use the following:

• Findings page and remove thelaunch_state="LAUNCH_STATE_DEPRECATED"term from the query.
• LegacyVulnerabilities

The following detectors are not migrated to the Security Essentials frameworkin Compliance Manager:

• MFA_NOT_ENFORCED
• NON_ORG_IAM_MEMBER
• OPEN_GROUP_IAM_MEMBER
• PUBLIC_BUCKET_ACL
• PUBLIC_COMPUTE_IMAGE
• PUBLIC_LOG_BUCKET

You can enable these detectors in theSettings> Security Health Analytics> Modules tab.

To view findings created by these Security Health Analytics detectors, use the following:

• Findings page

• Risk Overview>All risk dashboard:

  • Top misconfigurations panel
  • Misconfigurations by date panel

Findings generated by these Security Health Analytics detectors don't appear on theCompliance page.

Premium tier features

Premiumservice tier

If the Premium tier is newly activated in your organization, meaning theorganization was not migrated from the Standard tier, Security Health Analytics includes thefollowing features:

• Alldetectorsfor Google Cloud, as well as a number of other vulnerabilitydetection features, such as the ability to create customdetection modules.
• Findings are mapped to compliance controls for compliance reporting.For more information, seeDetectors and compliance.
• Security Command Center attack path simulations calculate attackexposure scores and potential attack paths for most Security Health Analyticsfindings. For more information, seeOverview of attack exposure scores and attack paths.

If your organization was upgraded from the Standard tier to the Premium tier,seeSwitching tiers for information about the modified set ofSecurity Health Analytics detector capabilities.

Enterprise tier features

Enterpriseservice tier

If the Enterprise tier is newly activated in your organization, meaning theorganization was not migrated from the Standard tier, Security Health Analytics includes allthe Premium tier features, as well as detectors for other cloud service provider platforms.

If your organization was upgraded from the Standard tier to the Premium tier,seeSwitching tiers for information about the modifiedset of Security Health Analytics detector capabilities.

Switching tiers

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

Security Command Center in the Premium tier and Enterprise tiers has moredetectors than in the Standard-legacy tier. If you are using thePremium or Enterprise tier and plan to downgrade to the Standard orStandard-legacy tier, we recommend that you resolve all findings beforechanging your tier.

When a Premium or Enterprise trial ends, or you downgrade from one of these tiersto the Standard or Standard-legacy tier, the state of the findings that weregenerated at the higher tier is set toINACTIVE.

If your organization didn't have Security Command Center and wasautomatically activated with the Standard tier,then you upgraded to the Premium or Enterprise tier, use theSecurity Essentials framework inCompliance Managerto configure detections.

If your organization was migrated to the Standard tier from the Standard-legacytier, and then you upgraded to the Premium or Enterprise tier, you cannotenable Premium or Enterprise tier Security Health Analytics detectors. Use theCompliance Managerframeworks available with Premium and Enterprise tiers to configure detections.

Most of the Security Health Analytics detectors in the Premium and Enterprise tier are migratedto the Security Essentials framework in Compliance Manager.

For more information about Compliance Manager frameworks and cloudcontrols, seeCompliance Manager frameworks.

For information about how Security Health Analytics detectors map to Compliance Managercloud controls, seeMapping of Security Health Analytics} detectors to cloud controls.

Multicloud support

Enterpriseservice tier

Security Health Analytics can detect misconfigurations in your deploymentson other cloud platforms.

Security Health Analytics supports the following other cloud service providers:

• Amazon Web Services (AWS):To run the detectors on AWS data, you first need to connect Security Command Centerto AWS, as described inConnect to AWS for configuration and resource data collection.

• Microsoft Azure: To run the detectors on Microsoft Azure data, you first need to connect Security Command Centerto Microsoft Azure, as described inConnect to Microsoft Azure for vulnerability detection and risk assessment.

Supported Google Cloud cloud services

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

Security Health Analytics managed vulnerability assessment scanning for Google Cloudcan automatically detect common vulnerabilities and misconfigurations across the following Google Cloud services:

• Cloud Monitoring and Cloud Logging
• Compute Engine
• Google Kubernetes Engine containers and networks
• Cloud Storage
• Cloud SQL
• Identity and Access Management (IAM)
• Cloud Key Management Service (Cloud KMS)

Security Health Analytics scan types

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

Security Health Analytics scans run in three modes:

• Batch scan: All detectors are scheduled to run for allenrolled organizations or projects once a day. For Security Command CenterStandard-legacy, the ingestion scan runs every 48 hours which can result in a findingupdate latency of 72 hours.

  Note: Batch scan schedules are performance objectives, notservice guarantees.

• Real-time scan: For Google Cloud deploymentsonly, supported detectors start scans whenevera change is detected in a resource's configuration. Findings arewritten to Security Command Center. Real-time scans are not supported fordeployments on other cloud platforms.

• Mixed-mode: Some detectors that support real-time scansmight not detect changes in real time for all supported resource types. Inthose cases, configuration changes for some resource types are capturedimmediately and others are captured in batch scans. Exceptions are notedin thetables of Security Health Analytics findings.

Security Health Analytics detector enablement

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

Security Health Analytics usesdetectors to identify vulnerabilities andmisconfigurations in your cloud environment. Each detectorcorresponds to a finding category.

Security Health Analytics comes with many built-in detectors thatcheck for vulnerabilities and misconfigurations across a large number ofcategories and resource types.

For the Premium and Enterprise service tiers, you can also create yourown custom detectors that can check for vulnerabilities or misconfigurationsthat are not covered by the built-in detectors or that are specific to yourenvironment.

For more information about the built-in Security Health Analytics detectors, seeSecurity Health Analytics built-in detectors.

For more information about creating and using custom modules, seeSecurity Health Analytics custom modules.

Enable and disable detectors

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

Not all Security Health Analytics built-in detectors are enabled by default.

To turn on inactive built-in detectors, seeEnable and disable detectors.

To enable or disable a Security Health Analytics custom detection module,you can update the custom module by using the Google Cloud console,the gcloud CLI, or the Security Command Center API.

For more information about updating Security Health Analytics custom modules, seeUpdate a custom module.

Built-in detectors and project-level activations

Standard-legacy and Premiumservice tiers

When you activate Security Command Center for a project only, certain built-inSecurity Health Analytics detectors are not supported because they requireorganization-level permissions.

Of the built-in detectors that require an organization-levelactivation, you can enable those that are available with the Standard-legacy tierof Security Command Center for project-level activations byenabling the Standard-legacy tier for your organization.

Built-in detectors that require both the Premium tier andorganization-level permissions are not supported with project-levelactivations.

For a list of the built-in Standard-legacy tier detectors that require anorganization-level activation of Security Command Center Standard-legacy before they can be used with a project-level activation, seeOrganization-level Standard tier finding categories.

For a list of built-in Premium tier detectors that aren't supported withproject-level activations, seeUnsupported Security Health Analytics findings.

Custom module detectors and project-level activations

Premiumservice tier

The scans of custom module detectors that you create in a project arelimited to the scope of the project, regardless of the activation level ofSecurity Command Center. Custom module detectors can scan only the resources thatare available to the project in which they are created.

For more information about custom modules, seeSecurity Health Analytics custom modules.

Security Health Analytics built-in detectors

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

This section describes the high-level categories of the detectors,listed by cloud platform and the finding category that they generate.

Note: Not all detectors are enabled by default. To turn on inactive detectors, see Enable and disable detectors.

Built-in detectors for Google Cloud by high-level category

Standard-legacy, Standard, Premium, and Enterpriseservice tiers

The Security Health Analytics detectors for Google Cloud, and the findings thatthey generate, are grouped into the following high-level categories.

Security Health Analytics detectors monitor a subset of the Google Cloudresource types that are supported byCloud Asset Inventory.

To see the individual detectors that are includedin each category, click the category name.

• API key vulnerability findings
• Compute image vulnerability findings
• Compute instance vulnerability findings
• Container vulnerability findings
• Dataproc vulnerability findings
• Dataset vulnerability findings
• DNS vulnerability findings
• Firewall vulnerability findings
• IAM vulnerability findings
• KMS vulnerability findings
• Logging vulnerability findings
• Monitoring vulnerability findings
• Multi-factor authentication vulnerability findings
• Network vulnerability findings
• Organization policy vulnerability findings
• Pub/Sub vulnerability findings
• SQL vulnerability findings
• Storage vulnerability findings
• Subnetwork vulnerability findings

Built-in detectors for AWS

Enterpriseservice tier

For a list of all of the Security Health Analytics detectors for AWS, seeAWS findings.

Security Health Analytics custom modules

Premium and Enterpriseservice tiers

Security Health Analytics custom modules are custom detectors forGoogle Cloud that extend the detection capabilities ofSecurity Health Analytics beyond those provided by the built-in detectors.

Custom modules are not supported for other cloud platforms.

You can create custom modules by using the guided workflow in theGoogle Cloud console, or you can create the custom module definitionyourself in a YAML file and then upload it to Security Command Center byusing Google Cloud CLI commands or the Security Command Center API.

For more information, seeOverview of custom modules for Security Health Analytics.

Detectors and compliance

Premium and Enterpriseservice tiers

The Security Command Center measurement of compliance with security benchmarksis based in a large part on the findings produced by the Security Health Analyticsvulnerability detectors.

Security Health Analytics monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Health Analytics checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Health Analytics detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Health Analytics adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With thesecurity posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

WithCompliance Manager, you can deploy frameworks that map regulatory controls to cloud controls. After you create a framework, you can monitor for any changes to the environment that might affect your business's compliance and audit your environment.

For more information about managing compliance, seeAssess and report compliance with security standards.

Supported security standards

Note: These standards are supported if you have't enabled Compliance Manager. For information about the frameworks that you can use with Compliance Manager, see theCompliance Manager overview.

Google Cloud

Security Health Analytics maps detectors for Google Cloud to one or more of the following compliance standards:

• Center for Information Security (CIS) Controls 8.0
• CIS Google Cloud Computing Foundations Benchmark v2.0.0, v1.3.0, v1.2.0, v1.1.0, and v1.0.0
• CIS Kubernetes Benchmark v1.5.1
• Cloud Controls Matrix (CCM) 4
• Health Insurance Portability and Accountability Act (HIPAA)
• International Organization for Standardization (ISO) 27001, 2022 and 2013
• National Institute of Standards and Technology (NIST) 800-53 R5 and R4
• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.0
• Open Web Application Security Project (OWASP) Top Ten, 2021 and 2017
• Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
• System and Organization Controls (SOC) 2 2017 Trust Services Criteria (TSC)

AWS

In the Enterprise service tier, Security Health Analytics maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards:

• CIS Amazon Web Services Foundations 2.0.0
• CIS Critical Security Controls Version 8.0
• Cloud Controls Matrix (CCM) 4
• Health Insurance Portability and Accountability Act (HIPAA)
• International Organization for Standardization (ISO) 27001, 2022
• National Institute of Standards and Technology (NIST) 800-53 R5
• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.0
• Payment Card Industry Data Security Standard (PCI DSS) 4.0 and 3.2.1
• System and Organization Controls (SOC) 2 2017 Trusted Services Criteria (TSC)

For more information about compliance, seeAssess and report security benchmark compliance.