Enable Compliance Manager

Enable Compliance Manager and configure support for VPC Service Controls service perimeters so that you can apply frameworks to your Google Cloud organization.

Before you begin

Complete these tasks before you enable Compliance Manager.

• To get the permissions that you need to enable Compliance Manager, ask your administrator to grant you the following IAM roles on your organization:

  • Organization Policy Administrator (roles/orgpolicy.policyAdmin)
  • Security Center Admin Editor (roles/securitycenter.adminEditor)

  For more information about granting roles, see Manage access to projects, folders, and organizations.

  You might also be able to get the required permissions through custom roles or other predefined roles.

Enable Compliance Manager

Complete the following steps to enable Compliance Manager at the organization level:

1. Enable Compliance Manager using one of the following methods:

   Scenario	Instructions
   You haven't activated Security Command Center or are using the Security Command Center Standard tier, and want to use the Security Command Center Premium tier.	Enable Compliance Manager by activating Security Command Center Premium.
   You haven't activated Security Command Center and want to use the Security Command Center Enterprise tier.	Enable Compliance Manager by activating Security Command Center Enterprise.
   You activated the Security Command Center Premium tier previously and want to enable Compliance Manager.	Enable Compliance Manager using the Settings page. Go to the Settings page
   You activated the Security Command Center Enterprise tier previously and want to enable Compliance Manager.	Enable Compliance Manager using the Activate Compliance Manager page. Go to Activate Compliance Manager

   For more information about Security Command Center tiers, see Security Command Center service tiers.

   Compliance Manager doesn't support customer-managed encryption keys (CMEK).

   When you enable Compliance Manager, the following services are also enabled:

   • Sensitive Data Protection to use data sensitivity signals for default data risk assessment.
   • Event Threat Detection (part of Security Command Center) at the organization level.
   • (Preview) Data Security Posture Management for data security frameworks.
   • (Preview) AI protection for AI security frameworks.

   The Cloud Security Compliance service agent (service-org-ORGANIZATION_ID@gcp-sa-csc-hpsa.iam.gserviceaccount.com) is created when you enable Compliance Manager. Compliance Manager uses this service agent to access resources in your organization.

For Security Command Center Premium, frameworks are not applied to the organization automatically.

For Security Command Center Enterprise, the following frameworks are applied to the organization automatically:

• AI Protection
• Data Security and Privacy Essentials

What's next

• Configure IAM roles for your compliance users.
• Configure support for VPC Service Controls.
• Manage a framework.
• (Preview) Configure Data Security Posture Management.
• (Preview) Configure AI Protection.