You can activate Security Command Center for an entire organization (organization-level activation) or for individual projects (project-level activation).
The activation process and billing model are different for each activation level. Also, when you activate Security Command Center at the project level, certain detection modules and service integrations are not available, due to Security Command Center's reduced scope of access.
Each activation level supports both Security Command Center service tiers: the Standard tier, which offers a limited feature set for free, or the Premium tier, which offers the full feature set.
Overview of organization-level activation
Activating Security Command Center at the organization level is considered a best practice because it provides the most complete protection for your business by allowing Security Command Center to access and scan resources and assets across all of the folders and projects in the organization.
With the appropriate IAM permissions, you can activate the Standard tier for an organization yourself by using the Google Cloud console.
Before you can activate the Premium tier for an organization, you need to first contact Google Cloud sales to request a Premium subscription. For information about subscription pricing, see Pricing.
You use the Google Cloud console to enable and configure Security Command Center. If you are enabling Security Command Center for the first time, the Google Cloud console guides you through the setup.
For step-by-step instructions on enabling and configuring Security Command Center for an organization, see Activate Security Command Center for an organization.
Overview of project-level activation
Activating Security Command Center on an individual project gives you the flexibility to use Security Command Center for only the projects that matter to you most and to base your Security Command Center charges on the resource usage in that project alone.
For a project-level activation, you can activate either tier of Security Command Center—Standard or Premium—yourself in the Google Cloud console, as long as you have the appropriate IAM permissions. You do not need to contact Sales first.
With project-level activations, the charges for the Premium tier are based on the usage of certain Google Cloud resources in the project and are billed to the project by using a pay-as-you-go model.
When you activate Security Command Center at the project level, Security Command Center's access to logs, data, and other resources is limited to the project in which it is activated. Consequently, any services that require data from outside of the project are either not available or they cannot produce their full set of findings. For more information about the findings and services that are not available with a project-level activation, see Feature availability with project-level activations.
Optimize project-level activations by activating the Standard tier at the organization level
To optimize project-level activations of the Premium tier, we recommend that you activate the Standard tier of Security Command Center at the organization level.
Activating the Standard tier at the organization level allows you to manage multiple project-level activations globally and ensures that any Standard-tier detection modules or service integrations that require organization-level activation are available to the projects.
For more information, see Standard tier features that require an organization-level activation.
When to use project-level activation
Typically, you activate Security Command Center for a project in the following scenarios:
- Your organization does not currently use Security Command Center at any tier. In this case, you can activate Security Command Center for a project at either the Standard Tier or the Premium Tier.
- The organization is currently using the Standard Tier, either because it was selected explicitly or because a Premium Tier subscription expired. In this case, you would activate only the Premium Tier for a project, because every project in the organization can already use the Standard Tier.
- The organization is currently using the Premium Tier, but the subscription is expiring soon and will not be renewed. In this case, to maintain Premium-level service for a project, you can activate the Premium Tier for the project before the organization-level subscription lapses. When the organization falls back to the Standard Tier, your project-level selection of the Premium Tier becomes active.
When Security Command Center Premium is already active in an organization and you select Security Command Center Premium for a project, your selection is saved, but the project-level activation of the Premium Tier does not become active until the organization's subscription expires.
Check the activation level of Security Command Center
When you open a project in the Google Cloud console, the level at which Security Command Center is activated—the project level or the organization level—is not immediately obvious, because the project could be inheriting the use of Security Command Center from its parent organization.
Knowing the activation level of Security Command Center is important because it affects billing, the support of Security Command Center for certain services, and certain IAM permissions that you or the Security Command Center service account need to function.
You can see if Security Command Center is activated for an organization by selecting the organization in the Google Cloud console and then selecting Security Command Center. If Security Command Center is not activated for the organization, a message indicates that it is not activated.
To determine whether Security Command Center is activated at the project level for a project and not inheriting the use of Security Command Center from the parent organization:
In the Google Cloud console, open the Security Command Center dashboard in the project:
Select the project that you need to check.
If Security Command Center is active in either the organization or the project, the Security Command Center dashboard displays. If it is not active in either, the Get Security Command Center page displays.
In the Security Command Center dashboard for the project, select Settings.
On the Settings page, select the Tier detail tab.
On the Tier detail tab, check the Billing status row:
- If the billing status is Active, the Premium tier is active at the project level and the project is being billed for it.
- If the billing status is Paused, the Premium tier is active at the organization level and being inherited by this project
- If the Billing status row is missing, the Standard tier is active for the project, either by inheritance or by being enabled at the project level.