This page explains how to work with findings for security issues that are related to identity and access (identity and access findings) in the Google Cloud console to investigate and identify potential misconfigurations.
As part of the Cloud Infrastructure Entitlement Management (CIEM) capabilities offered with the Enterprise tier, Security Command Center generates identity and access findings and makes them readily accessible on the Security Command Center Risk Overview page. These findings are curated and categorized under the Identity and access findings pane.
Before you begin
Make sure you have completed the following tasks before continuing:
- Learn about Security Command Center's CIEM capabilities.
- Set up permissions for CIEM.
- Enable the CIEM detection service for AWS.
View a summary of identity and access findings
The Identity and access findings pane on the Security Command Center Risk Overview page provides a high-level look at the top identity and access findings across your cloud environments, such as Google Cloud and Amazon Web Services (AWS). The pane consists of a table that organizes the findings across three columns:
- Severity: The finding
severity is a
general indicator of how important it is to remediate the finding category,
which can be classified as
Critical,High,Medium, orLow. - Finding category: The type of identity and access misconfiguration found.
- Total findings: The total number of identity and access misconfigurations found in a category at a given severity classification.
To navigate the findings on the pane, you can sort them by severity, finding category, or number of total findings by clicking the respective header. You can also modify the number of rows the pane displays (up to 200) and navigate between pages using the navigation arrows at the bottom of the table.
You can click a category title or its corresponding total findings number to inspect specific findings in more detail on the Security Command Center Findings page. For more information, see Inspect identity and access findings in detail.
The following components below the findings table help provide additional context to your identity and access findings:
- The Sources label indicates the source that Security Command Center is ingesting data from to produce the findings. The identity and access findings can apply to both Google Cloud and AWS environments. Security Command Center only displays identity and access findings for AWS if you've connected an AWS instance and configured AWS log ingestion for CIEM.
- The View all identity and access findings link lets you navigate to the Security Command Center Findings page to view all detected identity and access misconfigurations regardless of category or severity.
- The Review access with Policy Analyzer link provides quick access to the Policy Analyzer tool, which lets you see who has access to what resources based on your IAM allow policies.
View identity and access findings on the Findings page
The Identity and access findings pane offers multiple entry points to the Security Command Center Findings page to inspect identity and access findings in detail:
- Click any finding name under Finding category or its total findings number under Total findings to automatically query for that particular finding category and severity rating.
- Click View all identity and access findings to query all the findings in no particular order.
Security Command Center preselects certain quick filters that create a findings query specifically for identity and access misconfigurations. The quick filter options change based on whether you query one or all identity and access findings. You can edit these queries as necessary. The particular quick filter categories and options that are of interest for CIEM purposes include:
- Category: Filters to query the results for specific finding categories that you want to learn more about. The quick filter options listed in this category change based on whether you query one or all identity and access findings.
- Project ID: Filters to query the results for findings that relate to a specific project.
- Resource type: Filters to query the results for findings that relate to a specific resource type.
- Severity: Filters to query the results for findings of a specific severity.
- Source display name: Filters to query the results for findings detected by a specific service that detected the misconfiguration.
- Cloud provider: Filters to query the results for findings that come from a specific cloud platform.
The Findings query results panel consists of several columns that provide details about the finding. Among them, the following columns are of interest for CIEM purposes:
- Severity: Displays the severity of a given finding to help you prioritize remediation.
- Resource display name: Displays the resource where the finding was detected.
- Source display name: Displays the service that detected the finding. Sources that produce identity-related findings include CIEM, IAM recommender, and Security Health Analytics.
- Cloud provider: Displays the cloud environment where the finding was detected, such as Google Cloud and AWS.
- Offending access grants: Displays a link to review the principals who were potentially granted inappropriate roles.
- Case ID: Displays the ID number of the case that is related to the finding.
For more information about working with findings, see Work with findings in the Google Cloud console.
Investigate identity and access findings for different cloud platforms
Security Command Center lets you investigate identity and access misconfiguration findings for your AWS and Google Cloud environments on the Security Command Center Findings page.
Many different Security Command Center detection services, such as CIEM, IAM recommender, and Security Health Analytics, generate CIEM-specific finding categories that detect potential identity and access security issues for your cloud platforms.
The Security Command Center CIEM detection service generates specific findings for your AWS environment, and the IAM recommender and Security Health Analytics detection services generate specific findings for your Google Cloud environment.
To view only findings detected by a specific service, select that service from the Source display name quick filters category. For example, if you want to view only findings detected by the CIEM detection service, select CIEM.
The following table describes all the findings that are considered part of Security Command Center's CIEM capabilities.
| Cloud platform | Finding category | Description | Source |
|---|---|---|---|
| AWS | Assumed identity has excessive permissions
(ASSUMED_IDENTITY_HAS_EXCESSIVE_PERMISSIONS) | Assumed IAM roles detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. | CIEM |
| AWS | Group has excessive permissions
(GROUP_HAS_EXCESSIVE_PERMISSIONS) | IAM groups detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. | CIEM |
| AWS | User has excessive permissions
(USER_HAS_EXCESSIVE_PERMISSIONS) | IAM users detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. | CIEM |
| Google Cloud | MFA not enforced
(MFA_NOT_ENFORCED) | There are users who aren't using 2-Step Verification. For more information, see Multi-factor authentication findings. | Security Health Analytics |
| Google Cloud | Custom role not monitored
(CUSTOM_ROLE_NOT_MONITORED) | Log metrics and alerts aren't configured to monitor Custom Role changes. For more information, see Monitoring vulnerability findings. | Security Health Analytics |
| Google Cloud | KMS role separation
(KMS_ROLE_SEPARATION) | Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Primitive roles used
(PRIMITIVE_ROLES_USED) | A user has one of the
following basic roles: Owner (roles/owner),
Editor (roles/editor), or
Viewer (roles/viewer). For more information,
see IAM
vulnerability findings. | Security Health Analytics |
| Google Cloud | Redis role used on org
(REDIS_ROLE_USED_ON_ORG) | A Redis IAM role is assigned at the organization or folder level. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Service account role separation
(SERVICE_ACCOUNT_ROLE_SEPARATION) | A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Non org IAM member
(NON_ORG_IAM_MEMBER) | There is a user who isn't using organizational credentials. Per CIS Google Cloud Foundations 1.0, only identities with @gmail.com email addresses trigger this detector. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Open group IAM member
(OPEN_GROUP_IAM_MEMBER) | A Google Groups account that can be joined without approval is used as an IAM allow policy principal. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Unused IAM role
(UNUSED_IAM_ROLE) | IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | IAM role has excessive permissions
(IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS) | IAM recommender detected a service account that has one or more IAM roles that give excessive permissions to the user account. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | Service agent role replaced with basic
role
(SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE) |
IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and shouldn't be granted to service agents. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | Service agent granted basic role
(SERVICE_AGENT_GRANTED_BASIC_ROLE) | IAM recommender detected IAM that a service agent was granted one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and shouldn't be granted to service agents. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | Admin service account
(ADMIN_SERVICE_ACCOUNT) | A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Default service account used
(DEFAULT_SERVICE_ACCOUNT_USED) | An instance is configured to use the default service account. For more information, see Compute instance vulnerability findings. | Security Health Analytics |
| Google Cloud | Over privileged account
(OVER_PRIVILEGED_ACCOUNT) | A service account has overly broad project access in a cluster. For more information, see Container vulnerability findings. | Security Health Analytics |
| Google Cloud | Over privileged service account
user (OVER_PRIVILEGED_SERVICE_ACCOUNT_USER) | A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Service account key not rotated
(SERVICE_ACCOUNT_KEY_NOT_ROTATED) | A service account key hasn't been rotated for more than 90 days. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Over privileged scopes
(OVER_PRIVILEGED_SCOPES) | A node service account has broad access scopes. For more information, see Container vulnerability findings. | Security Health Analytics |
| Google Cloud | KMS public key
(KMS_PUBLIC_KEY) | A Cloud KMS cryptographic key is publicly accessible. For more information, see KMS vulnerability findings. | Security Health Analytics |
| Google Cloud | Public bucket ACL
(PUBLIC_BUCKET_ACL) | A Cloud Storage bucket is publicly accessible. For more information, see Storage vulnerability findings. | Security Health Analytics |
| Google Cloud | Public log bucket
(PUBLIC_LOG_BUCKET) | A storage bucket used as a log sink is publicly accessible. For more information, see Storage vulnerability findings. | Security Health Analytics |
| Google Cloud | User managed service account key
(USER_MANAGED_SERVICE_ACCOUNT_KEY) | A user manages a service account key. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Too many KMS users
(TOO_MANY_KMS_USERS) | There are more than three users of cryptographic keys. For more information, see KMS vulnerability findings. | Security Health Analytics |
| Google Cloud | KMS project has owner
(KMS_PROJECT_HAS_OWNER) | A user has Owner permissions on a project that has cryptographic keys. For more information, see KMS vulnerability findings. | Security Health Analytics |
| Google Cloud | Owner not monitored
(OWNER_NOT_MONITORED) | Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For more information, see Monitoring vulnerability findings. | Security Health Analytics |
Filter identity and access findings by cloud platform
From the Findings query results pane, you can tell what finding relates to a given cloud platform by inspecting the contents of the Cloud provider, Resource display name, or Resource type columns.
The Finding query results display identity and access findings for both Google Cloud and AWS environments by default. To edit the default finding query results to display only findings for a particular cloud platform, select Amazon Web Services or Google Cloud platform from the Cloud provider quick filters category.
Inspect identity and access findings in detail
To learn more about an identity and access finding, open the detailed view of the finding by clicking the finding name in the Category column in the Findings query results panel. For more information on the finding detail view, see View the details of a finding.
The following sections on the Summary tab of the detail view are helpful for investigating identity and access findings.
Offending access grants
On the Summary tab of the details pane of a finding, the Offending access grants row provides a way to quickly inspect Google Cloud and third-party principals and their access to your resources. This information only appears for findings when IAM recommender detects principals on Google Cloud resources with highly permissive, basic, and unused roles.
Click Review offending access grants to open the Review offending access grants pane, which contains the following information:
- The name of the principal. The principals displayed in this column can be a
mix of Google Cloud user accounts (
user:example-user@example.com), groups, identities from other identity providers (//iam.googleapis.com/locations/global/workforcePools/example-pool/subject/example-user@example.com), and service accounts. - The name of the role granted to the principal.
- The recommended action you can take to remediate the offending access.
Case information
On the Summary tab of the details page of a finding, the Case
information section displays when there is a case or ticket that
corresponds with a particular finding. Cases and tickets are automatically
created for findings with a Critical or High severity classification.
The Cases information section provides a way to track the remediation efforts for a particular finding. It provides details about the corresponding case, such as links to any corresponding case and ticketing system (Jira or ServiceNow) ticket, the assignee, case status, and case priority.
To access the case corresponding with the finding, click the case ID number in the Case ID row.
To access the Jira or ServiceNow ticket corresponding with the finding, click the ticket ID number in the Ticket ID row.
To connect your ticketing systems with Security Command Center Enterprise, see Integrate Security Command Center Enterprise with ticketing systems.
For more information on reviewing corresponding cases, see Review identity and access finding cases.
Next steps
On the Summary tab of the details page of a finding, the Next steps section provides step-by-step guidance on how to immediately remediate the issue detected. These recommendations are tailored to the specific finding you are viewing.
What's next
- Learn how to work with findings.
- Learn how to review identity and access finding cases.
- Learn about the CIEM detectors that generate AWS findings.