Home Original page

Enable and use Vulnerability Assessment for Google Cloud

Vulnerability Assessment for Google Cloud helps you discover software vulnerabilities in Google Cloud resources without installing agents. The types of resources scanned depends on the Security Command Center service tier, and include the following:

  • Running Compute Engine VM instances
  • Nodes in GKE Standard clusters
  • Containers running in GKE Standard and GKE Autopilot clusters.

Vulnerability Assessment for Google Cloud works by cloning your VM instance disks, mounting them in another secure VM instance, and scanning them with SCALIBR. The VM instance clone has the following properties:

  • It's created in the same region as the source VM instance.
  • It's created in a Google-owned project, so it doesn't add to your costs.

Capability differences between service tiers

The following Vulnerability Assessment for Google Cloud capabilities vary depending on the service tier:

  • The scanning frequency
  • Which findings are enriched with Mandiant CVE assessment data
  • The time until a finding is marked INACTIVE

See Findings generated by Vulnerability Assessment for Google Cloud for more information about these differences.

Limitations

  • VM instances with persistent disks that are encrypted with customer-managed encryption keys (CMEK) and have keys in a global location or a multi-regional key in the same geographical location as the disk.
  • VM instances with persistent disks that are encrypted with customer-managed encryption keys (CMEK) and have encryption keys inside projects in VPC Service Controls perimeters.
  • VM instances with persistent disks that are encrypted with customer-supplied encryption keys (CSEK)
  • Vulnerability Assessment for Google Cloud scans only VFAT, EXT2, and EXT4 partitions.
  • The Security Command Center service agent requires access to list project VM instances and clone their disks to Google-owned projects. Some security and policy configurations like organization policy constraints can interfere with this access, preventing scans.
  • Vulnerability Assessment for Google Cloud does not scan GKE clusters that have Image streaming enabled.
  • Cluster labels are not consumed in the findings.

Considerations when upgrading and downgrading service tiers

When you switch service tiers, Vulnerability Assessment for Google Cloud capabilities change to those supported in the active service tier.

Findings generated by the previous activation will remain active for the time defined by previous service tier. When downgrading from Premium to Standard tier, for example, findings generated on the Premium tier remain active for 25 hours. New findings generated on the Standard tier remain active for 195 hours.

Before you begin

If you have VPC Service Controls perimeters set up, create the required egress and ingress rules.

Permissions to enable Vulnerability Assessment for Google Cloud

To enable Vulnerability Assessment for Google Cloud with a Standard tier activation, you need the following IAM roles:

  • Security Center Admin (roles/securitycenter.admin)

  • One of the following roles:

    • Security Admin (roles/iam.securityAdmin)
    • Organization Admin (roles/resourcemanager.organizationAdmin)

Service agents to scan disks

The Vulnerability Assessment for Google Cloud service uses Security Command Center service agents for identity and permission to access Google Cloud resources.

For organization-level activations of Security Command Center, Vulnerability Assessment for Google Cloud uses the following service agent:

service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

For project-level activations of Security Command Center, Vulnerability Assessment for Google Cloud uses the following service agent:

service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com

On the Premium and Enterprise tiers, Vulnerability Assessment for Google Cloud is automatically enabled for all VM instances where possible.

On the Standard tier, you must manually enable Vulnerability Assessment for Google Cloud at the organization, folder, or project level.

To change Vulnerability Assessment for Google Cloud settings, do the following:

  1. In the Google Cloud console, go to the Risk Overview page:

    Go to Risk Overview

  2. Select an organization in which to enable Vulnerability Assessment for Google Cloud.

  3. Click Settings.

  4. In the Vulnerability Assessment section, click Manage settings.

  5. In the Google Cloud tab, enable or disable Vulnerability Assessment for Google Cloud at the organization, folder, or project level from the Agentless Vulnerability Assessment column. Lower levels can inherit the value from higher levels.

Scan disks encrypted with CMEK

To allow Vulnerability Assessment for Google Cloud to scan disks encrypted with CMEK, you must grant the Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) role to the following service agents:

service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

service-PROJECT_ID@compute-system.iam.gserviceaccount.com

If you have the following service agent, you must also grant the role to that service agent:

service-org-ORGANIZATION_ID@ctd-ia-org-sa-prod.iam.gserviceaccount.com

Configure key-level permissions

  1. Navigate to the Security > Key Management page.
  2. Select the key ring containing the key.
  3. Select the key.
  4. In the info panel, click Permissions.
  5. Enter the service agent name that you entered in the New principals field.
  6. In the Select a role menu, select Cloud KMS CryptoKey Encrypter/Decrypter.
  7. Click Save.

Configure project-level key permissions

  1. Go to IAM & Admin > IAM.
  2. Click Grant access.
  3. Enter the service agent name that you entered in the New principals field.
  4. In the Select a role menu, select Cloud KMS CryptoKey Encrypter/Decrypter.

For the scans to run correctly, the key must be in the same region as the disk. Vulnerability Assessment for Google Cloud attempts to scan disks encrypted using CMEK. If you don't grant the required permissions, Google Cloud generates the following error in the audit log: Cloud KMS error when using key.

Findings generated by Vulnerability Assessment for Google Cloud

The Vulnerability Assessment for Google Cloud service generates a finding in Security Command Center when it detects the following, which varies by service tier:

  • Software vulnerabilities on a Compute Engine VM instance.
  • Software vulnerabilities on nodes in a GKE cluster or containers running on GKE.

  • Container image vulnerabilities on the following resources:

    • GKE Pods
    • App Engine services
    • Cloud Run services and jobs

The frequency of scans varies by service tier:

Standard tier Premium and Enterprise tiers
One time a week Approximately every 12 hours

Vulnerability Assessment for Google Cloud publishes findings with the following severities, which varies by service tier:

Standard tier Premium and Enterprise tiers
Critical severity findings Critical and High severity findings

When Vulnerability Assessment for Google Cloud creates a finding, it remains in ACTIVE state for the following active state period, which varies by service tier:

Standard tier Premium and Enterprise tiers
195 hours 25 hours

If Vulnerability Assessment for Google Cloud detects the finding again within the active state period (based on the service tier), the counter resets, and the finding stays in the ACTIVE state for another active state period.

If Vulnerability Assessment for Google Cloud doesn't detect the finding again within the active state period (based on the service tier), Vulnerability Assessment for Google Cloud sets the finding to INACTIVE.

Information available in findings

Findings contain the following common information:

  • A description of the vulnerability, including the following information:
    • The software package containing the vulnerability and its location
    • Information from the associated CVE record
    • An assessment from Security Command Center of the severity of the vulnerability
  • If available, steps to fix the issue, including the patch or version upgrade to address the vulnerability

  • The following property values:

    • Class: Vulnerability
    • Cloud service provider: Google Cloud
    • Source: Vulnerability Assessment
    • Category: One of the following values:
      • Container Image Vulnerability
      • OS vulnerability
      • Software vulnerability

Certain findings, which vary by service tier, are enriched with information about the impact and exploitability of a CVE using Mandiant CVE assessments.

Standard tier Premium and Enterprise tiers
CVEs that have a Critical severity include Mandiant assessment information CVEs that have a Critical or High severity include Mandiant assessment information

Findings generated on the Premium and Enterprise service tiers include the following information:

  • An attack exposure score which helps you prioritize remediation.
  • A visual representation of the path an attacker might take to high-value resources exposed by the vulnerability.

Findings for detected software vulnerabilities

Findings for detected software vulnerabilities contain the following additional information:

  • The full resource name of the affected VM instance or GKE cluster.

  • Information about the affected object when the finding relates to a GKE workload, for example:

    • CronJob
    • DaemonSet
    • Deployment
    • Job
    • Pod
    • ReplicationController
    • ReplicaSet
    • StatefulSet

Because Vulnerability Assessment for Google Cloud can identify the same vulnerability in multiple containers, Vulnerability Assessment for Google Cloud aggregates vulnerabilities at the GKE workload level or Pod level. In a finding, you might see multiple values in a single field, for example in the files.elem.path field.

Findings for detected container image vulnerabilities

Findings for detected container image vulnerabilities contain the following additional information:

  • The full resource name of the container image
  • Any runtime association related to the finding, if the vulnerable image runs on any of the following:
    • GKE Pod
    • App Engine
    • Cloud Run Service and Revision
    • Cloud Run Job and Execution

Findings retention

After they have been resolved, findings generated by Vulnerability Assessment for Google Cloud are retained for 7 days, after which they are deleted. Active Vulnerability Assessment for Google Cloud findings are retained indefinitely.

Package location

The file location of a vulnerability in a finding refers to either the binary or package metadata files. This information depends on the SCALIBR extractor that Vulnerability Assessment for Google Cloud uses. For vulnerabilities that Vulnerability Assessment for Google Cloud finds in a container, this is the path inside the container.

The following table shows examples of vulnerability locations for various SCALIBR extractors.

SCALIBR extractor Package location
Debian package (dpkg) /var/lib/dpkg/status
Go binary /usr/bin/google_osconfig_agent
Java archive /opt/datadog-agent/embedded/lib/python3.9/site-packages/org.jpype.jar
PHP /var/www/html/vkumark/backend_api/composer.lock
Python /usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/python3.11/site-packages/cryptography-42.0.5.dist-info/METADATA
Ruby /usr/lib/ruby/gems/2.7.0/specifications/default/benchmark-0.1.0.gemspec

Review findings in the console

You can view Vulnerability Assessment for Google Cloud findings in the Google Cloud console. Before doing so, make sure you have the appropriate roles.

To review Vulnerability Assessment for Google Cloud findings in Google Cloud console, follow these steps:

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In the Quick filters section, in the Source display name subsection, select Vulnerability Assessment. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.