Security Health Analytics should be your first stop for auditing the security posture of your GCP environment.

In addition to several built in detectors, there are a handful of detectectors (around CMEKs mainly) that need to be manually turned on (using gcloud)

The following Security Health Analytics detectors are not enabled by default:

  • BUCKET_CMEK_DISABLED
  • DATASET_CMEK_DISABLED
  • DISK_CMEK_DISABLED
  • DISK_CSEK_DISABLED
  • NODEPOOL_BOOT_CMEK_DISABLED
  • PUBSUB_CMEK_DISABLED
  • SQL_CMEK_DISABLED
  • SQL_NO_ROOT_PASSWORD
  • SQL_WEAK_ROOT_PASSWORD

Security Health Analytics: in the Premium tier, Security Health Analytics provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets.

Security Health Analytics (Premium Tier) includes monitoring and reporting for the following standards:

    • CIS 1.0
    • PCI DSS v3.2.1
    • NIST 800-53
    • ISO 27001

Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available to detect the following threats:

    • Malware
    • Cryptomining
    • Brute force SSH
    • Outgoing DoS
    • IAM anomalous grant
    • Data exfiltration

Container Threat Detection detects the following container runtime attacks:

    • Added binary executed
    • Added library loaded
    • Reverse shell

Web Security Scanner provides managed scans that are automatically configured. These scans identify the following security vulnerabilities in your Google Cloud apps:

    • Cross-site scripting (XSS)
    • Flash injection
    • Mixed-content
    • Clear text passwords
    • Usage of insecure JavaScript libraries

Continuous Exports, which automatically manage the export of new findings to Pub/Sub.