Activate Security Command Center Standard tier for an organization

This document describes how to activate Security Command Center Standard for an organization through the Google Cloud console.

For more information about Security Command Center Standard, see Security Command Center service tiers.

To activate Security Command Center for a different service tier, see the following:

To activate Security Command Center for a project, see Activate Security Command Center for a project.

Before you begin

Before you activate Security Command Center Standard for an organization, you need to do the following:

Obtain specific Identity and Access Management (IAM) roles and permissions.
Review your organization policies, if applicable to your organization.
If you plan to enable data residency, review Planning for data residency and determine which location to use.
If you plan to use a customer-managed encryption key (CMEK), complete the required tasks for enabling CMEK for Security Command Center.

Required roles

To get the permissions that you need to activate Security Command Center for an organization, ask your administrator to grant you the following IAM roles on your organization:

Security Center Admin (roles/securitycenter.admin)
Organization Administrator (roles/resourcemanager.organizationAdmin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Review organization policies

If your organization policies are set to restrict identities by domain, confirm the following:

You must be signed in to the Google Cloud console on an account that's in an allowed domain.
Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement lets you allow services that use the @*.gserviceaccount.com service account to access resources when domain restricted sharing is enabled.

If your organization policies are set to restrict resource usage, verify that the following APIs are allowed by your policy:

securitycenter.googleapis.com
securitycentermanagement.googleapis.com

Activate Security Command Center Standard

You can activate Security Command Center Standard for an organization through the Google Cloud console.

In the Google Cloud console, go to the Security Command Center welcome page.

Go to Security Command Center

Important: You must use the jurisdictional Google Cloud console to activate Security Command Center with data residency controls. For details, see About the jurisdictional Google Cloud console.
Select the organization that you want to enable Security Command Center Standard for, and then click Get Standard.
On the welcome page, click Select.
Optional: To enable data residency and data encryption, click Show more.

Caution: You must configure data residency and data encryption during Security Command Center activation. You can't change these settings after you activate Security Command Center.

For more information about data residency, see Planning for data residency.

For more information about data encryption, see Enable CMEK for Security Command Center. If your organization uses CMEK organization policies, you might only have the option to choose CMEK or specific keys. If you don't use CMEK with Security Command Center, then Google encrypts data at rest using Google-owned and Google-managed encryption keys.
Click Activate.

As results become available, they are displayed in the console. Then you can use the Google Cloud console to review and remediate Google Cloud security and data risks.

Security Command Center completes its first full scan within 24 hours. There might be a delay before scans are started for some services. For more information, see When to expect findings in Security Command Center.

If you upgrade from Security Command Center Standard to Premium, you gain access to charts that show the scan progress for features such as issues, threats, and frameworks. Existing charts are also updated with scan results from Premium detectors as results become available.

Services for Security Command Center Standard

Activating Security Command Center Standard automatically enables Security Health Analytics and grants its service agent the roles and permissions required for the service to function.

Additional services can be enabled by following the steps in Configure Security Command Center services.

Deactivate Security Command Center

To deactivate Security Command Center, contact Cloud Customer Care.

What's next

Learn how to configure Security Command Center services.
Learn how to use Security Command Center in the Google Cloud console.
Learn how to work with Security Command Center findings.
Learn about Google Cloud security sources.
Find out how Model Armor can help protect your AI workloads.