프로젝트 수준 활성화를 위한 IAM

이 페이지에서는 Identity and Access Management(IAM)를 사용하여 Security Command Center의 프로젝트 수준 활성화에서 리소스에 대한 액세스를 제어하는 방법을 설명합니다. 조직에 대해 Security Command Center가 활성화되지 않은 경우에만 이 페이지를 참조하세요.

다음 조건 중 하나가 적용되는 경우 이 페이지 대신 조직 수준 활성화를 위한 IAM을 참조하세요.

  • Security Command Center가 프로젝트 수준이 아닌 조직 수준에서 활성화되었음
  • Security Command Center 표준이 이미 조직 수준에서 활성화되었음. 또한 한 개 이상의 프로젝트에서 Security Command Center 프리미엄이 활성화되었습니다.

Security Command Center는 IAM 역할을 사용하여 Security Command Center 환경에서 애셋, 발견 항목, 보안 서비스로 수행할 수 있는 사용자를 제어할 수 있도록 합니다. 개인 및 애플리케이션에 역할을 부여하고, 각 역할은 특정 권한을 제공합니다.

권한

Security Command Center를 설정하거나 프로젝트 구성을 변경하려면 다음 두 역할이 모두 필요합니다.

  • 프로젝트 IAM 관리자(roles/resourcemanager.projectIamAdmin)
  • 보안 센터 관리자(roles/securitycenter.admin)

사용자에게 수정 권한이 필요하지 않으면 뷰어 역할을 부여하는 것이 좋습니다. Security Command Center에서 모든 애셋 및 발견 항목을 보려면 사용자에게 보안 센터 관리자 뷰어(roles/securitycenter.adminViewer) 역할이 필요합니다. 설정도 확인해야 하는 사용자는 보안 센터 설정 뷰어(roles/securitycenter.settingsViewer) 역할이 필요합니다.

이러한 모든 역할을 리소스 계층 구조의 모든 수준에서 설정할 수 있지만 프로젝트 수준에서 이러한 역할을 설정하는 것이 좋습니다. 이 관행은 최소 권한의 원칙에 따른 것입니다.

역할 및 권한 관리에 대한 안내는 프로젝트, 폴더, 조직에 대한 액세스 관리를 참조하세요.

Security Command Center의 프로젝트 수준 활성화에 대한 상속된 액세스 권한

프로젝트는 해당 프로젝트가 포함된 폴더와 조직의 수준에서 설정된 역할 바인딩을 상속합니다. 예를 들어 주 구성원에게 조직 수준의 보안 센터 발견 항목 편집자 역할(roles/securitycenter.findingsEditor)이 있으면 해당 주 구성원이 프로젝트 수준에서 동일한 역할을 갖습니다. 이 주 구성원은 Security Command Center가 활성화된 조직의 모든 프로젝트에서 발견 항목을 보고 수정할 수 있습니다.

다음 그림은 조직 수준에서 부여된 역할이 있는 Security Command Center 리소스 계층 구조를 보여줍니다.

Security Command Center 리소스 계층 구조 및 권한 구조
Security Command Center 리소스 계층 구조 및 조직 수준 역할(확대하려면 클릭)

상속된 권한을 가진 사용자를 포함하여 프로젝트에 액세스할 수 있는 주 구성원 목록을 보려면 현재 액세스 권한 보기를 참조하세요.

Security Command Center의 IAM 역할

다음은 Security Command Center에 사용 가능한 IAM 역할 목록과 여기에 포함된 권한입니다. Security Command Center는 조직, 폴더 또는 프로젝트 수준에서 이러한 역할을 부여할 수 있도록 지원합니다.

Role Permissions

(roles/securitycenter.admin)

Admin(super user) access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

  • assuredoss.config.get
  • assuredoss.customers.create
  • assuredoss.locations.get
  • assuredoss.locations.list
  • assuredoss.metadata.get
  • assuredoss.metadata.list
  • assuredoss.operations.cancel
  • assuredoss.operations.delete
  • assuredoss.operations.get
  • assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

iam.serviceAccountKeys.create

iam.serviceAccounts.create

iam.serviceAccounts.get

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.create

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery
  • securitycenter.assetsecuritymarks.update
  • securitycenter.attackpaths.list
  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update
  • securitycenter.billingtier.update
  • securitycenter.complianceReports.aggregate
  • securitycenter.compliancesnapshots.list
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update
  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update
  • securitycenter.exposurepathexplan.get
  • securitycenter.findingexplanations.get
  • securitycenter.findingexternalsystems.update
  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update
  • securitycenter.findingsecuritymarks.update
  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update
  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update
  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update
  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update
  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update
  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update
  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update
  • securitycenter.securityhealthanalyticscustommodules.create
  • securitycenter.securityhealthanalyticscustommodules.delete
  • securitycenter.securityhealthanalyticscustommodules.get
  • securitycenter.securityhealthanalyticscustommodules.list
  • securitycenter.securityhealthanalyticscustommodules.simulate
  • securitycenter.securityhealthanalyticscustommodules.test
  • securitycenter.securityhealthanalyticscustommodules.update
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update
  • securitycenter.simulations.get
  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update
  • securitycenter.subscription.get
  • securitycenter.userinterfacemetadata.get
  • securitycenter.valuedresources.list
  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update
  • securitycenter.vulnerabilitysnapshots.list
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminEditor)

Admin Read-write access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery

securitycenter.assetsecuritymarks.update

securitycenter.attackpaths.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findingexternalsystems.update

securitycenter.findings.*

  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.generateServiceAccounts

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityCommandCenter.update

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminViewer)

Admin Read access to security center

Lowest-level resources where you can grant this role:

  • Project

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.attackpaths.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.assetSecurityMarksWriter)

Write access to asset security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.assetsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsDiscoveryRunner)

Run asset discovery access to assets

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.assets.runDiscovery

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsViewer)

Read access to assets

Lowest-level resources where you can grant this role:

  • Project

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.userinterfacemetadata.get

(roles/securitycenter.attackPathsViewer)

Read access to security center attack paths

securitycenter.attackpaths.list

(roles/securitycenter.bigQueryExportsEditor)

Read-Write access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

(roles/securitycenter.bigQueryExportsViewer)

Read access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

(roles/securitycenter.complianceReportsViewer)

Read access to security center compliance reports

securitycenter.complianceReports.aggregate

(roles/securitycenter.complianceSnapshotsViewer)

Read access to security center compliance snapshots

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

(roles/securitycenter.externalSystemsEditor)

Write access to security center external systems

securitycenter.findingexternalsystems.update

(roles/securitycenter.findingSecurityMarksWriter)

Write access to finding security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findingsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsBulkMuteEditor)

Ability to mute findings in bulk

securitycenter.findings.bulkMuteUpdate

(roles/securitycenter.findingsEditor)

Read-write access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsMuteSetter)

Set mute access to findings

securitycenter.findings.setMute

(roles/securitycenter.findingsStateSetter)

Set state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsViewer)

Read access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsWorkflowStateSetter)

Set workflow state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setWorkflowState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.muteConfigsEditor)

Read-Write access to security center mute configurations

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

(roles/securitycenter.muteConfigsViewer)

Read access to security center mute configurations

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

(roles/securitycenter.notificationConfigEditor)

Write access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.notificationConfigViewer)

Read access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.resourceValueConfigsEditor)

Read-Write access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

(roles/securitycenter.resourceValueConfigsViewer)

Read access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

(roles/securitycenter.securityHealthAnalyticsCustomModulesTester)

Test access to Security Health Analytics Custom Modules

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.settingsAdmin)

Admin(super user) access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.billingtier.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsEditor)

Read-Write access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.billingtier.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsViewer)

Read access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.simulationsViewer)

Read access to security center simulations

securitycenter.simulations.get

(roles/securitycenter.sourcesAdmin)

Admin access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.*

  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesEditor)

Read-write access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesViewer)

Read access to sources

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.valuedResourcesViewer)

Read access to security center valued resources

securitycenter.valuedresources.list

(roles/securitycentermanagement.admin)

Full access to manage Cloud Security Command Center services and custom modules configuration.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesEditor)

Full access to manage Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesViewer)

Readonly access to Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.etdCustomModulesEditor)

Full access to manage Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.etdCustomModulesViewer)

Readonly access to Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.securityCenterServicesEditor)

Full access to manage Cloud Security Command Center services configuration.

securitycentermanagement.securityCenterServices.*

  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update

(roles/securitycentermanagement.securityCenterServicesViewer)

Readonly access to Cloud Security Command Center services configuration.

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

(roles/securitycentermanagement.settingsEditor)

Full access to manage Cloud Security Command Center settings

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.settingsViewer)

Readonly access to Cloud Security Command Center settings

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

securitycenter.securitycentersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.shaCustomModulesEditor)

Full access to manage Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.shaCustomModulesViewer)

Readonly access to Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.viewer)

Readonly access to Cloud Security Command Center services and custom modules configuration.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

securitycenter.securitycentersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

서비스 에이전트 역할

서비스 에이전트는 서비스가 리소스에 액세스하도록 허용합니다.

Security Command Center를 활성화하면 서비스 계정 유형인 서비스 에이전트 2개가 생성됩니다.

  • service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com.

    이 서비스 에이전트에는 securitycenter.serviceAgent IAM 역할이 필요합니다.

  • service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com.

    이 서비스 에이전트에는 roles/containerthreatdetection.serviceAgent IAM 역할이 필요합니다.

Security Command Center가 작동하려면 서비스 에이전트에 필요한 IAM 역할을 부여해야 합니다. Security Command Center의 활성화 프로세스 중에 역할을 부여하라는 메시지가 표시됩니다.

각 역할의 권한을 보려면 다음을 참조하세요.

역할을 부여하려면 roles/resourcemanager.projectIamAdmin 역할이 있어야 합니다.

roles/resourcemanager.organizationAdmin 역할이 없으면 조직 관리자가 다음 gcloud CLI 명령어를 사용하여 서비스 에이전트에 역할을 자동으로 부여할 수 있습니다.

gcloud organizations add-iam-policy-binding PROJECT_ID \
    --member="SERVICE_ACCOUNT_NAME" \
    --role="IAM_ROLE"

다음을 바꿉니다.

  • PROJECT_ID: 프로젝트 ID
  • SERVICE_AGENT_NAME: 다음 서비스 에이전트 이름 중 하나:
    • service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com
    • service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
  • IAM_ROLE: 지정된 서비스 에이전트에 해당하는 다음 필수 역할:
    • roles/securitycenter.serviceAgent
    • roles/containerthreatdetection.serviceAgent

프로젝트 ID 및 프로젝트 번호를 찾으려면 프로젝트 식별을 참조하세요.

IAM 역할에 대한 자세한 내용은 역할 이해를 참조하세요.

Web Security Scanner

IAM 역할은 Web Security Scanner 사용 방법을 규정합니다. 아래 표에는 Web Security Scanner에서 사용할 수 있는 각 IAM 역할과 해당 역할에 사용할 수 있는 메서드가 나와 있습니다. 프로젝트 수준에서 이러한 역할을 부여합니다. 사용자에게 보안 스캔을 만들고 관리할 수 있는 기능을 제공하려면 프로젝트에 사용자를 추가하고 역할을 사용하여 권한을 부여합니다.

Web Security Scanner는 기본 역할사전 정의된 역할을 지원하며 Web Security Scanner 리소스에 대한 액세스 권한을 더욱 세부적으로 제공합니다.

기본 IAM 역할

다음은 기본 역할로 부여되는 Web Security Scanner 권한을 설명합니다.

역할 설명
소유자 모든 Web Security Scanner 리소스에 대한 전체 액세스 권한입니다.
편집자 모든 Web Security Scanner 리소스에 대한 전체 액세스 권한입니다.
뷰어 Web Security Scanner에 대한 액세스 권한이 없습니다.

사전 정의된 IAM 역할

다음은 Web Security Scanner 역할에 의해 부여되는 Web Security Scanner 권한을 설명합니다.

Role Permissions

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

IAM 역할에 대한 자세한 내용은 역할 이해를 참조하세요.