访问权限控制

>

安全命令中心

Identity and Access Management (IAM) 角色介绍了如何使用 Security Command Center API。下面列出了 Security Command Center 可用的每个 IAM 角色及其可用方法。在 组织 级层应用这些角色。

角色 名称 说明 权限 最低资源要求
roles/securitycenter.admin Security Center Admin 拥有对安全中心的管理员(超级用户)权限
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
组织
roles/securitycenter.adminEditor Security Center Admin Editor 拥有对安全中心的管理员读写权限
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
组织
roles/securitycenter.adminViewer Security Center Admin Viewer 拥有对安全中心的管理员读取权限
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • resourcemanager.organizations.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
组织
roles/securitycenter.assetSecurityMarksWriter Security Center Asset Security Marks Writer 拥有对资产安全标记的写入权限
  • securitycenter.assetsecuritymarks.*
组织
roles/securitycenter.assetsDiscoveryRunner Security Center Assets Discovery Runner 拥有运行资产发现进程的权限
  • securitycenter.assets.runDiscovery
组织
roles/securitycenter.assetsViewer Security Center Assets Viewer 拥有对资产的读取权限
  • resourcemanager.organizations.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
组织
roles/securitycenter.findingSecurityMarksWriter Security Center Finding Security Marks Writer 拥有对发现结果安全标记的写入权限
  • securitycenter.findingsecuritymarks.*
组织
roles/securitycenter.findingsEditor Security Center Findings Editor 拥有对发现结果的读写权限
  • resourcemanager.organizations.get
  • securitycenter.findings.*
  • securitycenter.sources.get
  • securitycenter.sources.list
组织
roles/securitycenter.findingsStateSetter Security Center Findings State Setter 可设置发现结果的状态
  • securitycenter.findings.setState
组织
roles/securitycenter.findingsViewer Security Center Findings Viewer 拥有对发现结果的读取权限
  • resourcemanager.organizations.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.sources.get
  • securitycenter.sources.list
组织
roles/securitycenter.notificationConfigEditor Security Center Notification Configurations Editor 拥有对通知配置的写入权限
  • securitycenter.notificationconfig.*
roles/securitycenter.notificationConfigViewer Security Center Notification Configurations Viewer 拥有对通知配置的读取权限
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
roles/securitycenter.settingsAdmin Security Center Settings Admin Alpha 版 拥有对安全中心设置的管理员(超级用户)权限
  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.*
roles/securitycenter.settingsEditor Security Center Settings Editor Alpha 版 拥有对安全中心设置的读写权限
  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.*
roles/securitycenter.settingsViewer Security Center Settings Viewer Alpha 版 拥有对安全中心设置的读取权限
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
roles/securitycenter.sourcesAdmin Security Center Sources Admin 拥有对来源的管理员权限
  • resourcemanager.organizations.get
  • securitycenter.sources.*
组织
roles/securitycenter.sourcesEditor Security Center Sources Editor 拥有对来源的读写权限
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
组织
roles/securitycenter.sourcesViewer Security Center Sources Viewer 拥有对来源的读取权限
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
组织

角色:Security Center Service Agent

启用 Security Command Center 时,系统将以 service-org-organization-id@security-center-api.iam.gserviceaccount.com 格式为您创建服务帐号。该服务帐号会在组织级层自动授予 securitycenter.serviceAgent 角色。借助此角色,Security Command Center 服务帐号可以持续创建和更新组织资产资源元数据的副本。

securitycenter.serviceAgent 角色是一个包含以下权限的内部角色:

角色 名称 说明 权限 最低资源要求
roles/securitycenter.serviceAgent Security Center Service Agent 拥有扫描 Google Cloud 资源和导入安全扫描的权限

以下角色的所有权限:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

此外,还要拥有以下额外权限:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy
组织

如需添加 roles/securitycenter.serviceAgent,您必须拥有 roles/resourcemanager.organizationAdmin。您可以通过运行以下命令将角色添加到服务帐号:

gcloud organizations add-iam-policy-binding organization-id \
  --member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

如需详细了解 IAM 角色,请参阅 了解角色

事件威胁检测

身份和访问权限管理 (IAM) 角色介绍了如何使用 Event Threat Detection API。下面列出了可用于 Event Threat Detection 的每个 IAM 角色及其可用方法。在 组织 级层应用这些角色。

角色 名称 说明 权限 最低资源要求
roles/threatdetection.editor 威胁检测设置编辑者Beta 版 拥有所有威胁检测设置的读写权限
  • 威胁检测。*
组织
roles/threatdetection.viewer 威胁检测设置观看器Beta 版 拥有所有威胁检测设置的读取权限
  • threatdetection.detectorSettings.get
  • threatdetection.sinkSettings.get
  • threatdetection.sourceSettings.get
组织

Web Security Scanner

身份和访问权限管理 (IAM) 角色介绍了如何使用 Web Security Scanner。下表列出了 Web Security Scanner 可用的每个 IAM 角色及其可用方法。在 项目 级层授予这些角色。为了让用户能够创建和管理安全扫描,您需要将用户添加到项目中并使用角色授予他们权限。

Web Security Scanner 支持 初始角色预定义角色,可提供对 Web Security Scanner 资源的更精细的访问权限。

初始 IAM 角色

下面介绍了由初始角色授予的 Web Security Scanner 权限。

角色 说明
所有者 拥有所有 Web Security Scanner 资源的完整访问权限
编辑器 拥有所有 Web Security Scanner 资源的完整访问权限
查看者 无法拥有对 Web Security Scanner 的访问权限

预定义 IAM 角色

下面介绍了 Web Security Scanner 角色授予的 Web Security Scanner 权限。

角色 名称 说明 权限 最低资源要求
roles/cloudsecurityscanner.editor Web Security Scanner Editor 拥有所有 Web Security Scanner 资源的完整访问权限
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/cloudsecurityscanner.runner Web Security Scanner Runner 拥有 Scan 和 ScanRun 的读取权限以及启动扫描的权限
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
项目
roles/cloudsecurityscanner.viewer Web Security Scanner Viewer 拥有所有 Web Security Scanner 资源的读取权限
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目

如需详细了解 IAM 角色,请参阅 了解角色