Onboarding or migrating a Google Security Operations instance
Google Security Operations links to a customer-supplied Google Cloud project to integrate more closely with Google Cloud services, such as Identity and Access Management, Cloud Monitoring, and Cloud Audit Logs. Customers can use IAM and workforce identity federation to authenticate using their existing identity provider.
The following documents guide you through the process to onboard a new Google Security Operations instance or migrate an existing Google Security Operations instance.
- Configure a Google Cloud project for Google Security Operations
- Configure a third-party identity provider for Google Security Operations
- Link Google Security Operations to Google Cloud services
- Configure feature access control using IAM
Required roles
The following sections describe the permissions you need for each phase of the onboarding process, mentioned in the previous section.
Configure a Google Cloud project for Google Security Operations
To complete the steps in Configure a Google Cloud project for Google Security Operations, you need the following IAM permissions.
If you have the Project Creator (resourcemanager.projects.create
permission at the organization level, then no additional permissions
are required to create a project and enable the Chronicle API.
If you do not have this permission, you need the following permissions at the project level:
- Chronicle Service Admin (
roles/chroniclesm.admin) - Editor (
roles/editor) - Project IAM Admin (
roles/resourcemanager.projectIamAdmin) - Service Usage Admin (
roles/serviceusage.serviceUsageAdmin)
Configure a third-party identity provider Google Security Operations
To complete the steps in Configure a third-party identity provider for Google Security Operations, you need the following IAM permissions.
Project Editor permissions to the Google Security Operations-bound project you created previously.
IAM Workforce Pool Admin (
roles/iam.workforcePoolAdmin) permission at either the project level or organization level.Use the following command as an example to set the
roles/iam.workforcePoolAdminrole:gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member "user:USER_EMAIL" \ --role roles/iam.workforcePoolAdminReplace the following:
ORGANIZATION_ID: the numeric organization ID.USER_EMAIL: the admin user's email address.
Link a Google Security Operations instance to Google Cloud services
To complete the steps in Link Google Security Operations to Google Cloud services, you need the same permissions defined in the Configure a Google Cloud project for Google Security Operations section.
Configure feature access control using IAM
To complete the steps in Configure feature access control using IAM, you need the following IAM permission at the project level to grant and modify the project's IAM role bindings:
See Assign roles to users and groups for an example of how to do this.
If you plan to migrate an existing Google Security Operations instance to IAM, you need the same permissions defined in the Configure a third-party identity provider Google Security Operations section.
Google Security Operations advanced capabilities requirements
The following table lists Google Security Operations advanced capabilities and their dependencies on a customer-provided Google Cloud project and Google workforce identity federation.
| Capability | Google Cloud foundation | Requires Google Cloud project? | Requires workforce identity federation? |
|---|---|---|---|
| Cloud Audit Logs: administrative activities | Cloud Audit Logs | Yes | Yes |
| Cloud Audit Logs: data access | Cloud Audit Logs | Yes | Yes |
| Cloud Billing: online subscription or pay-as-you-go | Cloud Billing | Yes | No |
| Google Security Operations APIs: general access, mint and manage credentials using third-party IdP | Google Cloud APIs | Yes | Yes |
| Google Security Operations APIs: general access, mint and manage credentials using Cloud Identity | Google Cloud APIs, Cloud Identity | Yes | Yes |
| Compliant controls: CMEK | Cloud Key Management Service or Cloud External Key Manager | Yes | No |
| Compliant controls: FedRAMP High or above | Assured Workloads | Yes | Yes |
| Compliant controls: Organization Policy Service | Organization Policy Service | Yes | No |
| Compliant controls: VPC Service Controls | VPC Service Controls | Yes | No |
| Contact management: legal disclosures | Essential Contacts | Yes | No |
| Health monitoring: ingestion pipeline outages | Cloud Monitoring | Yes | No |
| Ingestion: webhook, Pub/Sub, Azure Event Hub, Amazon Kinesis Data Firehose | Identity and Access Management | Yes | No |
| Role-based access controls: data | Identity and Access Management | Yes | Yes |
| Role-based access controls: features or resources | Identity and Access Management | Yes | Yes |
| Support access: case submission, tracking | Cloud Customer Care | Yes | No |
| Unified SecOps authentication | Google workforce identity federation | No | Yes |