This page explains how to work with findings for security issues that are related to identity and access (identity and access findings) in the Google Cloud console to investigate and identify potential misconfigurations.
As part of the Cloud Infrastructure Entitlement Management (CIEM) capabilities offered with the Enterprise tier, Security Command Center generates identity and access findings and makes them readily accessible on the Security Command Center Risk Overview page. These findings are curated and categorized under the Identity and access findings pane.
Before you begin
Make sure you have completed the following tasks before continuing:
- Learn about Security Command Center's CIEM capabilities.
- Set up permissions for CIEM.
- Enable the CIEM detection service for your cloud.
View identity and access findings on the Findings page
The Identity view on the Security Command Center Findings page displays identity and access findings across your cloud environments, such as Google Cloud and Amazon Web Services (AWS).
In Google Cloud console, select Findings in the navigation.
Select the Identity view.
The Identity view adds a filter condition to display only findings where
the domains.category field contains the value IDENTITY_AND_ACCESS.
To display only results from from a specific cloud platform, use the AWS and Google buttons.
Use the Aggregations panel and the Query Editor to filter results further. To view only findings detected by a specific service, select that service from the Source display name category in the Aggregations panel. For example, if you want to view only findings detected by the CIEM detection service, select CIEM. Other examples include the following:
- Category: Filters query the results for specific finding categories that you want to learn more about.
- Project ID: Filters query the results for findings that relate to a specific project.
- Resource type: Filters to query the results for findings that relate to a specific resource type.
- Severity: Filters to query the results for findings of a specific severity.
- Source display name: Filters to query the results for findings detected by a specific service that detected the misconfiguration.
The Findings query results panel consists of several columns that provide details about the finding. Among them, the following columns are of interest for CIEM purposes:
- Severity: Displays the severity of a given finding to help you prioritize remediation.
- Resource display name: Displays the resource where the finding was detected.
- Source display name: Displays the service that detected the finding. Sources that produce identity-related findings include CIEM, IAM recommender, Security Health Analytics, and Event Threat Detection.
- Cloud provider: Displays the cloud environment where the finding was detected, such as Google Cloud, AWS, and Microsoft Azure.
- Offending access grants: Displays a link to review the principals who were potentially granted inappropriate roles.
- Case ID: Displays the ID number of the case that is related to the finding.
For more information about working with findings, see Review and manage findings.
Investigate identity and access findings for different cloud platforms
Security Command Center lets you investigate identity and access misconfiguration findings for your AWS, Microsoft Azure, and Google Cloud environments on the Security Command Center Findings page.
Many different Security Command Center detection services, such as CIEM, IAM recommender, Security Health Analytics, and Event Threat Detection generate CIEM-specific finding categories that detect potential identity and access security issues for your cloud platforms.
The Security Command Center CIEM detection service generates specific findings for your AWS and Microsoft Azure environments, and the IAM recommender, Security Health Analytics, and Event Threat Detection detection services generate specific findings for your Google Cloud environment.
To view only findings detected by a specific service, select that service from the Source display name quick filters category. For example, if you want to view only findings detected by the CIEM detection service, select CIEM.
The following table describes all the findings that are considered part of Security Command Center's CIEM capabilities.
| Cloud platform | Finding category | Description | Source |
|---|---|---|---|
| AWS | Assumed identity has excessive permissions
(ASSUMED_IDENTITY_HAS_EXCESSIVE_PERMISSIONS) | Assumed IAM roles detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. | CIEM |
| AWS | Group has excessive permissions
(GROUP_HAS_EXCESSIVE_PERMISSIONS) | AWS IAM or AWS IAM Identity Center groups detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. | CIEM |
| AWS | User has excessive permissions
(USER_HAS_EXCESSIVE_PERMISSIONS) | AWS IAM or AWS IAM Identity Center users detected in your AWS environment with highly permissive policies. For more information, see CIEM findings. | CIEM |
| AWS | User is inactive
(INACTIVE_USER) | Inactive AWS IAM or AWS IAM Identity Center users are detected in your AWS environment. For more information, see CIEM findings. | CIEM |
| AWS | Group is inactive
(INACTIVE_GROUP) | AWS IAM or AWS IAM Identity Center groups detected in your AWS environment are not active. For more information, see CIEM findings. | CIEM |
| AWS | Assumed identity is inactive
(INACTIVE_ASSUMED_IDENTITY) | Assumed IAM roles detected in your AWS environment are inactive. For more information, see CIEM findings. | CIEM |
| AWS | Overly permissive trust policy enforced on assumed identity
(OVERLY_PERMISSIVE_TRUST_POLICY_ENFORCED_ON_ASSUMED_IDENTITY) | The trust policy enforced on an assumed IAM role is highly permissive. For more information, see CIEM findings. | CIEM |
| AWS | Assumed identity has lateral movement risk
(ASSUMED_IDENTITY_HAS_LATERAL_MOVEMENT_RISK) | One or more identities can move laterally in your AWS environment through role impersonation. For more information, see CIEM findings. | CIEM |
| Microsoft Azure | Assumed identity has excessive permissions
(ASSUMED_IDENTITY_HAS_EXCESSIVE_PERMISSIONS) |
Service principals or managed identities detected in your Azure environment with highly permissive role assignments. For more information, see CIEM findings. | CIEM |
| Microsoft Azure | Group has excessive permissions
(GROUP_HAS_EXCESSIVE_PERMISSIONS) |
Groups detected in your Azure environment with highly permissive role assignments. For more information, see CIEM findings. | CIEM |
| Microsoft Azure | User has excessive permissions
(USER_HAS_EXCESSIVE_PERMISSIONS) |
Users detected in your Azure environment with highly permissive role assignments. For more information, see CIEM findings. | CIEM |
| Google Cloud | MFA not enforced
(MFA_NOT_ENFORCED) | There are users who aren't using 2-Step Verification. For more information, see Multi-factor authentication findings. | Security Health Analytics |
| Google Cloud | Custom role not monitored
(CUSTOM_ROLE_NOT_MONITORED) | Log metrics and alerts aren't configured to monitor Custom Role changes. For more information, see Monitoring vulnerability findings. | Security Health Analytics |
| Google Cloud | KMS role separation
(KMS_ROLE_SEPARATION) | Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Primitive roles used
(PRIMITIVE_ROLES_USED) | A user has one of the
following basic roles: Owner (roles/owner),
Editor (roles/editor), or
Viewer (roles/viewer). For more information,
see IAM
vulnerability findings. | Security Health Analytics |
| Google Cloud | Redis role used on org
(REDIS_ROLE_USED_ON_ORG) | A Redis IAM role is assigned at the organization or folder level. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Service account role separation
(SERVICE_ACCOUNT_ROLE_SEPARATION) | A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Non org IAM member
(NON_ORG_IAM_MEMBER) | There is a user who isn't using organizational credentials. Per CIS Google Cloud Foundations 1.0, only identities with @gmail.com email addresses trigger this detector. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Open group IAM member
(OPEN_GROUP_IAM_MEMBER) | A Google Groups account that can be joined without approval is used as an IAM allow policy principal. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Unused IAM role
(UNUSED_IAM_ROLE) | IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | IAM role has excessive permissions
(IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS) | IAM recommender detected a service account that has one or more IAM roles that give excessive permissions to the user account. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | Service agent role replaced with basic
role
(SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE) |
IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and shouldn't be granted to service agents. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | Service agent granted basic role
(SERVICE_AGENT_GRANTED_BASIC_ROLE) | IAM recommender detected IAM that a service agent was granted one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and shouldn't be granted to service agents. For more information, see IAM recommender findings. | IAM recommender |
| Google Cloud | Admin service account
(ADMIN_SERVICE_ACCOUNT) | A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Default service account used
(DEFAULT_SERVICE_ACCOUNT_USED) | An instance is configured to use the default service account. For more information, see Compute instance vulnerability findings. | Security Health Analytics |
| Google Cloud | Over privileged account
(OVER_PRIVILEGED_ACCOUNT) | A service account has overly broad project access in a cluster. For more information, see Container vulnerability findings. | Security Health Analytics |
| Google Cloud | Over privileged service account
user (OVER_PRIVILEGED_SERVICE_ACCOUNT_USER) | A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Service account key not rotated
(SERVICE_ACCOUNT_KEY_NOT_ROTATED) | A service account key hasn't been rotated for more than 90 days. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Over privileged scopes
(OVER_PRIVILEGED_SCOPES) | A node service account has broad access scopes. For more information, see Container vulnerability findings. | Security Health Analytics |
| Google Cloud | KMS public key
(KMS_PUBLIC_KEY) | A Cloud KMS cryptographic key is publicly accessible. For more information, see KMS vulnerability findings. | Security Health Analytics |
| Google Cloud | Public bucket ACL
(PUBLIC_BUCKET_ACL) | A Cloud Storage bucket is publicly accessible. For more information, see Storage vulnerability findings. | Security Health Analytics |
| Google Cloud | Public log bucket
(PUBLIC_LOG_BUCKET) | A storage bucket used as a log sink is publicly accessible. For more information, see Storage vulnerability findings. | Security Health Analytics |
| Google Cloud | User managed service account key
(USER_MANAGED_SERVICE_ACCOUNT_KEY) | A user manages a service account key. For more information, see IAM vulnerability findings. | Security Health Analytics |
| Google Cloud | Too many KMS users
(TOO_MANY_KMS_USERS) | There are more than three users of cryptographic keys. For more information, see KMS vulnerability findings. | Security Health Analytics |
| Google Cloud | KMS project has owner
(KMS_PROJECT_HAS_OWNER) | A user has Owner permissions on a project that has cryptographic keys. For more information, see KMS vulnerability findings. | Security Health Analytics |
| Google Cloud | Owner not monitored
(OWNER_NOT_MONITORED) | Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. For more information, see Monitoring vulnerability findings. | Security Health Analytics |
Filter identity and access findings by cloud platform
From the Findings query results pane, you can tell what finding relates to a given cloud platform by inspecting the contents of the Cloud provider, Resource display name, or Resource type columns.
The Finding query results display identity and access findings for Google Cloud, AWS, and Microsoft Azure environments by default. To edit the default finding query results to display only findings for a particular cloud platform, select Amazon Web Services or Google Cloud platform from the Cloud provider quick filters category.
Inspect identity and access findings in detail
To learn more about an identity and access finding, open the detailed view of the finding by clicking the finding name in the Category column in the Findings panel. For more information about the finding detail view, see View the details of a finding.
The following sections on the Summary tab of the detail view are helpful when investigating identity and access findings.
Offending access grants
On the Summary tab of the details pane of a finding, the Offending access grants row provides a way to quickly inspect principals, including federated identities, and their access to your resources. This information only appears for findings when IAM recommender detects principals on Google Cloud resources with highly permissive, basic, and unused roles.
Click Review offending access grants to open the Review offending access grants pane, which contains the following information:
- The name of the principal. The principals displayed in this column can be a mix of Google Cloud user accounts, groups, federated identities, and service accounts.
- The name of the role granted to the principal.
- The recommended action you can take to remediate the offending access.
Case information
On the Summary tab of the details page of a finding, the Case information section displays when there is a case or ticket that corresponds with a particular finding.
The Cases information section provides a way to track the remediation efforts for a particular finding. It provides details about the corresponding case, such as links to any corresponding case and ticketing system (Jira or ServiceNow) ticket, the assignee, case status, and case priority.
To access the case corresponding with the finding, click the case ID number in the Case ID row.
To access the Jira or ServiceNow ticket corresponding with the finding, click the ticket ID number in the Ticket ID row.
To connect your ticketing systems with Security Command Center Enterprise, see Integrate Security Command Center Enterprise with ticketing systems.
For more information on reviewing corresponding cases, see Review identity and access finding cases.
Next steps
On the Summary tab of the details page of a finding, the Next steps section provides step-by-step guidance on how to immediately remediate the issue detected. These recommendations are tailored to the specific finding you are viewing.
What's next
- Learn how to review and manage findings.
- Learn how to review identity and access finding cases.
- Learn about the CIEM detectors that generate AWS and Microsoft Azure findings.