Enable and use Vulnerability Assessment for AWS

Enterpriseservice tier

This page describes how to set up and use the Vulnerability Assessment for Amazon Web Services (AWS)service.

To enable Vulnerability Assessment for AWS, you need to create an AWS IAM role onthe AWS platform, enable the Vulnerability Assessment for AWS service inSecurity Command Center, and then deploy a CloudFormation template on AWS.

Before you begin

To enable the Vulnerability Assessment for AWS service, you need certainIAM permissions and Security Command Center must be connected toAWS.

Roles and permissions

To complete the setup of the Vulnerability Assessment for AWS service,you need to be granted roles with the necessary permissions in bothGoogle Cloud and AWS.

Google Cloud roles

Make sure that you have the following role or roles on the organization:Security CenterAdmin Editor (roles/securitycenter.adminEditor)

Check for the roles

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM
  2. Select the organization.

  3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM
  2. Select the organization.
  3. ClickGrant access.

  4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In theSelect a role list, select a role.
  6. To grant additional roles, clickAdd another role and add each additional role.
  7. ClickSave.

AWS roles

In Amazon Web Services (AWS), an AWS administrative user must create the AWS account that you need forenabling scans. You assign this role later when you install the CloudFormation template on AWS.

  • To create a role for Vulnerability Assessment in AWS, follow the steps inCreate a role for an AWS service (console).

    Note the following:

    • Forservice or use case, selectlambda.
    • Add the following permission policies:
      • AmazonSSMManagedInstanceCore
      • AWSLambdaBasicExecutionRole
      • AWSLambdaVPCAccessExecutionRole
    • Create a permission policy for the AWS role:
      1. Follow the instructions to modify and copy the permissions policy:Role policy for Vulnerability Assessment for AWS and VM Threat Detection.
      2. Enter the policy into the JSON editor in AWS.

    • For trust relationships, add the following JSON entry to any existingstatement array:

      {"Version":"2012-10-17","Statement":[{"Sid":"Statement1 or replace with a unique statementId","Effect":"Allow","Principal":{"Service":"cloudformation.amazonaws.com"},"Action":"sts:AssumeRole"}]}

Collect information about the AWS resources to be scanned

During the steps to enable Vulnerability Assessment for AWS, you can customize the configurationto scan specific AWS regions,specific tags that identify AWS resources and specificHard disk drive (HDD) volumes (both SC1 and ST1).

It helps to have this information available before configuring Vulnerability Assessment for AWS.

Confirm Security Command Center is connected to AWS

The Vulnerability Assessment for AWS service requires access to the inventoryof AWS resources that Cloud Asset Inventory maintains when Security Command Centerisconnected to AWS.

If a connection is not already established, you are required to set one upwhen you enable the Vulnerability Assessment for AWS service.

To set up a connection, seeConnect to AWS for configuration and resource data collection.

Enable Vulnerability Assessment for AWS in Security Command Center

Vulnerability Assessment for AWS must be enabled on Google Cloud at theorganization level.

  1. Go to theRisk overview page in Security Command Center:

    Go to Risk overview

  2. Select the organization you want to enable Vulnerability Assessment for AWS in.

  3. ClickSettings.

  4. In theVulnerability Assessment card, clickManage Settings. TheVulnerability Assessment page opens.

  5. Select theAmazon Web Services tab.

  6. In theService enablement section, change theStatus field toEnable.

  7. In theAWS connector section, verify that the status displaysAWS Connector added. If the status displaysNo AWS connector added,clickAdd AWS connector. Complete the steps inConnect to AWS for configuration and resource data collectionbefore you go to the next step.

  8. Configure theScan settings for AWS compute and storage. To change thedefault configuration, clickEdit scan settings. For information abouteach option, seeCustomize scan settings for AWS compute and storage.

  9. If you have already enabled VM Threat Detection for AWSand have deployed the CloudFormation template as part of that feature, thenskip this step.In theScan settings section, clickDownload CloudFormation template. A JSON template downloads to yourworkstation. You need to deploy the template in each AWS account that youneed to scan for vulnerabilities.

Customize scan settings for AWS compute and storage

This section describes options available to customize the scan of AWS resources.These custom options are under theScan settings for AWS compute and storagesection when editing a Vulnerability Assessment for AWS scan.

You can define a maximum of 50 AWS tags and Amazon EC2 instance IDs. Changes to scan settings don'taffect the AWS CloudFormation template. You don't need to redeploy the template.If a tag or instance ID value is not correct (for example, the value is misspelled) and the resourcespecified does not exist, the value is ignored during the scan.
OptionDescription
Scan interval Enter the number of hours between each scan. Valid values range from 6 to 24. The default value is 6. More frequent scans may cause an increase in resource usage and possibly an increase in billing charges.
AWS regions

Choose a subset of regions to include in vulnerability assessment scanning.

Only instances from the selected regions are scanned. Select one or more AWS regions to be included in the scan.

If you configured specific regions in the Amazon Web Services (AWS) connector, make sure the regions selected here are the same, or a subset of, those defined when you configured the connection to AWS.

AWS tags Specify tags that identify the subset of instances that are scanned. Only instances with these tags are scanned. Enter the key-value pair for each tag. If an invalid tag is specified, it will be ignored. You can specify a maximum of 50 tags. For more information about tags, see Tag your Amazon EC2 resources and Add and remove tags for Amazon EC2 resources.
Exclude by Instance ID

Exclude EC2 instances from each scan by specifying the EC2 instance ID. You can specify a maximum of 50 instance IDs. If invalid values are specified, they will be ignored. If you define multiple instance IDs, they are combined using theAND operator.

  • If you selectExclude instance by ID, enter each instance ID manually by clickingAdd AWS EC2 instance, and then typing the value.

  • If you selectCopy and paste a list of instance IDs to exclude in JSON format, do one of the following:

    • Enter an array of instance IDs. For example:

      [ "instance-id-1", "instance-id-2" ]

    • Upload a file with the list of instance IDs. The content of the file should be an array of instance IDs, for example:

      [ "instance-id-1", "instance-id-2" ]
Scan SC1 instance SelectScan SC1 instance to include these instances. SC1 instances are excluded by default. Learn more about SC1 instances.
Scan ST1 instance SelectScan ST1 instance to include these instances. ST1 instances are excluded by default. Learn more about ST1 instances.
Scan Elastic Container Registry (ECR) SelectScan Elastic Container Registry instance to scan container images stored in ECR and their installed packages. Learn more about Elastic Container Registry.

Deploy the AWS CloudFormation template

Deploy the CloudFormation template at least six hours aftercreating an AWSconnector.

For detailed information about how to deploy a CloudFormation template, seeCreate a stack from the CloudFormationconsolein the AWS documentation.

Keep the following in mind: * After the CloudFormation template is uploaded, enter a unique stack name. Don't modify any other parameters in the template. * ForPermissions in the stack options, select the AWS role that youcreated previously. * After you deploy the CloudFormation template, the stack takes a few minutes to start running.

The status of the deployment is displayed in the AWS console. If theCloudFormation template fails to deploy, seeTroubleshooting.

Note: If you disable Vulnerability Assessment and enable it again later, you might need to perform these steps again.

After scans start running, if any vulnerabilities are detected, thecorresponding findings are generated and displayed on the Security Command CenterFindings page in theGoogle Cloud console.

Review findings in the console

You can view Vulnerability Assessment for AWS findings in the Google Cloud console. The minimumIAM role that is required to view findings isSecurity Center Findings Viewer (roles/securitycenter.findingsViewer).

To review Vulnerability Assessment for AWS findings in the Google Cloud console, follow thesesteps:

  1. In the Google Cloud console, go to theFindings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In theQuick filters section, in theSource display name subsection, selectEC2 Vulnerability Assessment. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in theCategory column. The details panel for the finding opens and displays theSummary tab.
  5. On theSummary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click theJSON tab.

Troubleshooting

If you enabled the Vulnerability Assessment service, but scans are notrunning, check the following:

  • Check that the AWS connector is properly set up.
  • Confirm that the CloudFormation template stack deployed completely. Itsstatus in the AWS account should beCREATION_COMPLETE.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.