Security Command Center の CIEM 機能のほとんどは、 Google Cloud 環境でデフォルトで機能し、追加の構成は必要ありません。Security Command Center の CIEM 機能の一部として、検出結果は、 Google Cloud 有効な Security Command Center Enterprise サブスクリプションがある限り自動的に生成されます。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-03-11 UTC。"],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers) (not available if [data residency controls](docs/data-residency-support) are enabled)\n\nThis page describes how to set up the Security Command Center Cloud Infrastructure Entitlement Management (CIEM)\ndetection service to detect identity issues in your deployments on other cloud\nplatforms, like Amazon Web Services (AWS) and Microsoft Azure ([Preview](https://cloud.google.com/products#product-launch-stages)).\n\nThe CIEM detection service generates findings that alert you to\npotential identity and access security issues in your AWS and Microsoft\nAzure environments, such as highly privileged identities (accounts).\n\nBefore you begin\n\nBefore you enable the CIEM detection service, complete\nthe following tasks:\n\n- Purchase and activate the Enterprise tier of Security Command Center for your organization. For instructions, see [Activate the Security Command Center Enterprise tier](/security-command-center/docs/activate-enterprise-tier).\n- Learn about [Security Command Center's CIEM capabilities](/security-command-center/docs/ciem-overview).\n\nSet up permissions\n\n\nTo get the permissions that\nyou need to enable CIEM,\n\nask your administrator to grant you the\nfollowing IAM roles on your Google Cloud organization:\n\n- Chronicle API Admin (roles/chronicle.admin)\n- Chronicle SOAR Admin (roles/chronicle.soarAdmin)\n- Chronicle Service Admin (roles/chroniclesm.admin)\n- Cloud Asset Owner (roles/cloudasset.owner)\n- Create Service Accounts (roles/iam.serviceAccountCreator)\n- Folder IAM Admin (roles/resourcemanager.folderIamAdmin)\n- IAM Recommender Admin (roles/recommender.iamAdmin)\n- Organization Administrator (roles/resourcemanager.organizationAdmin)\n- Organization Role Administrator (roles/iam.roleAdmin)\n- Project Creator (roles/resourcemanager.projectCreator)\n- Project IAM Admin (roles/resourcemanager.projectIamAdmin)\n- Security Admin (roles/iam.securityAdmin)\n- Security Center Admin (roles/securitycenter.admin)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nConfigure supporting components for CIEM\n\nTo enable the CIEM detection service to produce findings for\nyour cloud providers, you must configure certain supporting components in\nSecurity Command Center.\n\nUse CIEM with AWS\n\nTo enable the CIEM detection service\nfor AWS, do the following:\n\n- **Set up Amazon Web Services (AWS) integration** : Connect your AWS environment to Security Command Center. For instructions, see [Connect to AWS](/security-command-center/docs/connect-scc-to-aws).\n- **Configure integrations** : Set up optional Security Command Center integrations such as connecting to your ticketing systems:\n - To connect your ticketing system, [integrate Security Command Center Enterprise with ticketing systems](/security-command-center/docs/integrate-ticketing-systems).\n - To synchronize case data, [enable synchronization for cases](/security-command-center/docs/synchronize-case-data#enable-case-sync).\n- **Configure log ingestion** : To configure log ingestion appropriately for CIEM, [Configure AWS log ingestion for\n CIEM](/security-command-center/docs/connect-secops-aws#ciem-log-ingestion).\n\nUse CIEM with Microsoft Azure\n\nTo enable the CIEM detection service for Microsoft Azure, do the\nfollowing:\n\n- **Set up Microsoft Azure integration** : Connect your Microsoft Azure environment to Security Command Center. For instructions, see [Connect to Microsoft Azure](/security-command-center/docs/connect-scc-to-azure).\n- **Configure integrations** : Set up optional Security Command Center integrations such as connecting to your ticketing systems:\n - To connect your ticketing system, [Integrate Security Command Center Enterprise with ticketing systems](/security-command-center/docs/integrate-ticketing-systems).\n - To synchronize case data, [enable synchronization for cases](/security-command-center/docs/synchronize-case-data#enable-case-sync).\n- **Configure log ingestion** : To configure log ingestion appropriately for CIEM, [Configure Microsoft Azure log ingestion for\n CIEM](/security-command-center/docs/connect-secops-azure#ciem-log-ingestion-azure).\n\nUse CIEM with Google Cloud\n\nMost of the Security Command Center CIEM capabilities work by default\nfor your Google Cloud environment and don't require any additional\nconfiguration. As part of Security Command Center's CIEM capabilities,\nfindings are produced automatically for Google Cloud as long as you\nsubscribe to Security Command Center.\n\nWhat's next\n\n- Learn how to [investigate identity and access findings](/security-command-center/docs/ciem-identity-access-findings).\n- Learn how to [review cases for identity and access issues](/security-command-center/docs/ciem-identity-access-cases).\n- Learn more about [Security Command Center roles](/security-command-center/docs/access-control)."]]