Advisory Notifications provides IAM policy recommendations to ensure that the right parties within your organization have access to view critical security and privacy notifications in the Google Cloud console. These recommendations are generated automatically by analyzing your Essential Contacts configuration and your IAM policy. Use these recommendations to ensure that your security administrators can receive and quickly address security notifications.
How Advisory Notifications recommendations work
Advisory Notifications recommendations monitor your Essential Contacts and IAM policy configurations, and make recommendations based on the previous day's data.
The recommendations include the following:
If no user has permission to view notifications, Advisory Notifications recommends granting the appropriate parties within your organization access.
If a principal is listed as a Security Essential Contact but does not have permission to view Advisory Notifications in the Google Cloud console, Advisory Notifications recommends granting the principal access. Advisory Notifications recommendations don't take custom roles into account. If you are granting a principal permission to Advisory Notifications through a custom role, disregard or dismiss the recommendation.
View Advisory Notifications recommendations
Advisory Notifications makes insights and recommendations available through the Recommender using the Google Cloud CLI, the API, or the BigQuery export feature.
Before you begin
Before you can view the insights and recommendations, you must do the following:
- You must enable the Recommender API. You only need to enable the API on a single billing project. You can then use this same billing project to examine recommendations and insights for other projects, the entire organization, or the billing account, by specifying the billing project in your gcloud commands and API requests.
- Ensure that you have the required permissions
View recommendations
gcloud
To view your recommendations, use the following gcloud recommender recommendations list
command:
gcloud recommender recommendations list \ --recommender=google.cloud.security.GeneralRecommender \ --organization=ORGANIZATION_ID \ --location=global \ --billing-project=QUOTA_PROJECT \ --filter=recommenderSubtype=[ SECURITY_ESSENTIAL_CONTACTS_WITHOUT_ADVISORY_NOTIFICATIONS | NO_VIEWERS_OF_ADVISORY_NOTIFICATIONS] \ --format=FORMAT
Replace the following:
ORGANIZATION_ID
: the ID of your organization.FORMAT
: your preferred output format. For example,yaml
,text
, andjson
. For all the possible values, see Projections. The valuescsv
,diff
,get
,table
, andvalue
require non-empty projections.QUOTA_PROJECT
: The ID of the project to use for quota and billing.
The output of the gcloud recommender recommendations list
command includes
the following fields:
name
: the name of the recommendation.description
: a human-readable explanation of the recommendation.associatedInsights
: a list of associated insights.
You can also view the insights associated to these recommendations. To view your insights, use the gcloud recommender insights list
command below.
gcloud recommender insights list \ --insight-type=google.cloud.security.GeneralInsight \ --organization=ORGANIZATION_ID \ --location=global \ --billing-project=QUOTA_PROJECT \ --filter=insightSubtype=[ SECURITY_ESSENTIAL_CONTACTS_WITHOUT_ADVISORY_NOTIFICATIONS | NO_VIEWERS_OF_ADVISORY_NOTIFICATIONS] \ --format=FORMAT
Replace the following:
ORGANIZATION_ID
: the ID of your organization.FORMAT
: your preferred output format. For example,yaml
,text
, andjson
. For all the possible values, see Projections. The valuescsv
,diff
,get
,table
, andvalue
require non-empty projections.QUOTA_PROJECT
: the ID of the project to use for quota and billing.
The output of the gcloud recommender insights list
command includes
the following fields:
name
: the name of the recommendation.description
: a human-readable explanation of the insight.associatedRecommendations
: a list of associated recommendations.
For more information, see the Recommender docs.
API
To view your recommendations, use the
Recommender API with
the google.cloud.security.GeneralRecommender
recommender ID.
The following example bash script uses an access token returned by
Application Default Credentials,
for a curl
request. For information about setting up Application
Default Credentials, see
Provide credentials for Application Default Credentials.
ORGANIZATION_ID=ORGANIZATION_ID LOCATION=global RECOMMENDER_ID=google.cloud.security.GeneralRecommender QUOTA_PROJECT=QUOTA_PROJECT curl \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "x-goog-user-project: $QUOTA_PROJECT" \ https://recommender.googleapis.com/v1/organizations/$ORGANIZATION_ID/locations/$LOCATION/recommenders/$RECOMMENDER_ID/recommendations
Replace the following:
ORGANIZATION_ID
: the ID of your organization.QUOTA_PROJECT
: the ID of the project to use for quota and billing.
The response includes the following fields:
name
: The name of the recommendation.description
: A human-readable explanation of the recommendation.associatedInsights
: a list of associated insights.
To view your insights, use the
Recommender API with
the google.cloud.security.GeneralInsight
insight type.
The following example bash script uses an access token returned by
Application Default Credentials,
for a curl
request. For information about about setting up Application
Default Credentials, see
Provide credentials for Application Default Credentials.
ORGANIZATION_ID=ORGANIZATION_ID LOCATION=global INSIGHT_TYPE=google.cloud.security.GeneralInsight QUOTA_PROJECT=QUOTA_PROJECT curl \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "x-goog-user-project: $QUOTA_PROJECT" \ https://recommender.googleapis.com/v1/organizations/$ORGANIZATION_ID/locations/$LOCATION/insightTypes/$INSIGHT_TYPE/insights
Replace the following:
ORGANIZATION_ID
: the ID of your organization.QUOTA_PROJECT
: the ID of the project to use for quota and billing.
The response includes the following fields:
name
: The name of the recommendation.description
: A human-readable explanation of the recommendation.associatedRecommendations
: a list of associated recommendations.
For more information, see Using the Recommender API.
BigQuery export
Recommendations and insights can also be exported in bulk to a BigQuery table. For details refer to the BigQuery export documentation.
Act on Advisory Notifications recommendations
The following sections provide targeted advice about acting on specific Advisory Notifications recommendations. Each section corresponds to one Advisory Notifications Recommender Subtype. The following list mentions the sections for your Recommender Subtype.
Grant Access to Advisory Notifications
This section helps you act on recommendations with the SECURITY_ESSENTIAL_CONTACTS_WITHOUT_ADVISORY_NOTIFICATIONS
Recommender Subtype.
You received this recommendation because some of your Essential Contacts in the Security and All categories don't have access to Advisory Notifications. This means that these contacts receive email notifications but aren't able to view the notification in the Google Cloud console.
We recommend that each Essential Contact be granted access to Advisory Notifications rather than granting access through parent groups or domains. Granting access to each Essential Contact makes it less likely that the access is revoked accidentally in the future. Additionally, you can use the self-documenting Advisory Notifications Viewer role to clarify why the binding exists.
To apply this recommendation, do the following:
Find all organization-level Security Essential Contacts in your Essential Contacts configuration. These are the contacts in the Security and All categories.
Grant each contact permission to view Advisory Notifications in the Identity and Access Management Admin page by assigning them the Advisory Notifications Viewer (
roles/advisorynotifications.viewer
) role. See viewing Advisory Notifications if you would like to know the specific permissions required for viewing Advisory Notifications.
Configure your Advisory Notifications Viewers
This section helps you act on recommendations with the NO_VIEWERS_OF_ADVISORY_NOTIFICATIONS
Recommender Subtype.
You received this recommendation because we couldn't identify any principals in your organization with access to Advisory Notifications.
We recommend that you configure Essential Contacts and Advisory Notifications so that you are prepared to receive critical security and privacy notifications.
To apply this recommendation, do the following:
Configure your organization-level Security Essential Contacts in the Essential Contacts page.
Grant each contact permission to view Advisory Notifications by assigning them the Advisory Notifications Viewer Role (
roles/advisorynotifications.viewer
) in the Identity and Access Management Admin page. See viewing Advisory Notifications if you would like to know the specific permissions required for viewing Advisory Notifications.
If you prefer not to use Essential Contacts, we still recommend granting viewing permissions for Advisory Notifications to the appropriate parties within your organization, such as a Security Administrator. Granting viewing permissions for Advisory Notifications without configuring Essential Contacts doesn't guarantee that the parties receive email notifications from Advisory Notifications.
Pricing
For pricing information, see Recommender pricing.
What's next
- Learn more about Advisory Notifications.
- Learn more about the Recommender and its API