Data residency gives you more control over where your Security Command Center data is located. This page provides essential information about how Security Command Center supports data residency.
The following definitions apply to this page:
- A location is a Google Cloud region or multi-region that corresponds to the location in which your data resides.
- The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.
Supported data locations
Security Command Center supports only the following Google Cloud multi-regions as data locations:
- European Union (
eu
) - Data resides in any Google Cloud region within member states of the European Union.
- United States (
us
) - Data resides in any Google Cloud region in the United States.
- Kingdom of Saudi Arabia (KSA) (
sa
) - Data resides in any Google Cloud region in KSA.
- Global (
global
) - Data can reside in any Google Cloud region. If data residency is not
enabled, then Global (
global
) is the only supported location.
For more information about Security Command Center locations, see Products available by location.
If you need to specify a default location for data residency that Security Command Center doesn't support, then contact your account representative or a Google Cloud sales specialist.
Requirements for data residency
You can enable data residency only when you activate the Standard or Premium tier of Security Command Center in an organization for the first time. The Enterprise tier doesn't support data residency.
After data residency is enabled, you can't disable it or change your default location.
Data residency requires you to use the Security Command Center v2 API. If data residency is enabled, then you can't use earlier versions of the Security Command Center API.
If you don't enable data residency when you activate Security Command Center, then Security Command Center does not restrict your data to any particular location, and it's stored in accordance with the Google Cloud Platform Terms of Service.
Regional URLs
For the Kingdom of Saudi Arabia (KSA) location, you must use location-specific URLs to access the jurisdictional Google Cloud console, as well as some methods and commands in the gcloud CLI, the Cloud Client Libraries, and the Security Command Center API:
Console
To access Security Command Center, use the jurisdictional Google Cloud console, https://console.sa.cloud.google.com/.
The jurisdictional Google Cloud console lets you access Security Command Center data in the KSA and Global locations.
gcloud
To access data in the KSA location, the following gcloud CLI command groups require you to use the regional service endpoint for the Security Command Center API:
gcloud scc bqexports
: manages BigQuery export configurationsgcloud scc findings
: manages findingsgcloud scc muteconfigs
: manages mute rule configurationsgcloud scc notifications
: manages continuous export configurations
In addition, the gcloud scc operations
command group is not available for long-running operations in the
KSA location. For example, you can't check the status of a long-running
operation to bulk-mute findings.
For all other gcloud scc
command groups, you must use the default service
endpoint for the Security Command Center API.
To switch to the regional service endpoint, run the following command:
gcloud config set api_endpoint_overrides/securitycenter \
https://securitycenter.me-central2.rep.googleapis.com/
To switch to the default service endpoint, run the following command:
gcloud config unset api_endpoint_overrides/securitycenter
If you prefer, you can create a
named configuration for
gcloud CLI that uses the regional service endpoint, then switch to
that named configuration before you run Security Command Center commands in the
KSA location. To switch to a named configuration, run the
gcloud config configurations activate
command.
REST
For the KSA location, the Security Command Center API uses the regional service endpoint
https://securitycenter.me-central2.rep.googleapis.com/
.
To access the following REST API resource types in the KSA location, you must use the regional service endpoint for Security Command Center:
folders.locations.bigQueryExports
folders.locations.findings
folders.locations.muteConfigs
folders.locations.notificationConfigs
organizations.locations.bigQueryExports
organizations.locations.findings
organizations.locations.muteConfigs
organizations.locations.notificationConfigs
projects.locations.bigQueryExports
projects.locations.findings
projects.locations.muteConfigs
projects.locations.notificationConfigs
In addition, you can't call any methods for
organizations.operations
resources in the KSA location. For example, you can't check the status of a
long-running operation to
bulk-mute findings.
For all other resource types, you must use the default service endpoint for the
Security Command Center API, https://securitycenter.googleapis.com/
.
Go
To manage the following resource types in the KSA location, you must override the default service endpoint when you create a client for Security Command Center:
Use the endpoint securitycenter.me-central2.rep.googleapis.com:443
for these resource types. The following code
sample shows how to create a client that uses a regional service endpoint.
Java
To manage the following resource types in the KSA location, you must override the default service endpoint when you create a client for Security Command Center:
Use the endpoint securitycenter.me-central2.rep.googleapis.com:443
for these resource types. The following code
sample shows how to create a client that uses a regional service endpoint.
When data residency is enforced
When you enable data residency for Security Command Center, some Security Command Center data is kept within a specified location when it's in one of the following states:
- At rest: All supported locations
- In use: KSA (
sa
) only - In transit: KSA (
sa
) only
Data residency at rest
Data is at rest when all of the following criteria are met:
- The data is for a resource type that is subject to data residency controls.
- You have not requested an operation that requires the data to be accessed.
- The data is not being accessed in a way that produces audit logs or Access Transparency logs.
When you enable data residency, Security Command Center does the following:
EU, US, and Global
If possible, when findings data is at rest, Security Command Center stores it in the Google Cloud multi-region where your resources are located.
Otherwise, when findings data is at rest, it's stored in the default location that you choose.
When specific types of configuration resources are at rest, Security Command Center stores them in the default location that you choose.
In cases where Security Command Center stores data that is not Customer Data, as defined in the Data Location item in the Google Cloud General Service Terms, Security Command Center stores the data at rest in accordance with the Google Cloud Platform Terms of Service.
KSA
- When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location at rest.
- When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location at rest. However, the finding might temporarily reside in a different region at rest.
- When you create specific types of configuration resources in the KSA location, and those resources are at rest, they reside in the KSA location.
-
In cases where Security Command Center stores data that is not Customer Data, as defined in the Data Location item in the Google Cloud General Service Terms, Security Command Center stores the data at rest in accordance with the Google Cloud Platform Terms of Service.
Data residency in use
Data is in use when all of the following criteria are met:
- The data is for a resource type that is subject to data residency controls.
- Google Cloud is completing an operation that was initiated at your request—for example, because your application called the Security Command Center API—or an operation that produces audit logs or Access Transparency logs.
- It's possible for Google Cloud to operate on the data in a way that requires knowledge of the data's meaning—for example, by updating specific fields in a configuration resource. This includes any case where data is unencrypted in memory.
When you enable data residency, Security Command Center does the following:
EU, US, and Global
In the EU, US, and Global locations, data in use is not subject to data residency controls.
KSA
- When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location in use.
- When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location in use. However, the finding might temporarily reside in a different region in use.
- When you create specific types of configuration resources in the KSA location, and those resources are in use, they reside in the KSA location.
-
In cases where Security Command Center stores data that is not Customer Data, as defined in the Data Location item in the Google Cloud General Service Terms, Security Command Center stores the data in use in accordance with the Google Cloud Platform Terms of Service.
Data residency in transit
Data is in transit when all of the following criteria are met:
- The data is for a resource type that is subject to data residency controls.
- The data is being transmitted, with encryption, within Google's network, or the data is in memory, with encryption, for the purpose of transmitting it within Google's network.
When you enable data residency, Security Command Center does the following:
EU, US, and Global
In the EU, US, and Global locations, data in transit is not subject to data residency controls.
KSA
- When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location in transit.
- When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location in transit. However, the finding might temporarily reside in a different region in transit.
- When you create specific types of configuration resources in the KSA location, and those resources are in transit, they reside in the KSA location.
-
In cases where Security Command Center stores data that is not Customer Data, as defined in the Data Location item in the Google Cloud General Service Terms, Security Command Center stores the data in transit in accordance with the Google Cloud Platform Terms of Service.
Default data location
For the EU, US, and Global locations, when you enable Security Command Center data residency, you specify a default Security Command Center location. You can select any supported data location as your default location.
Security Command Center uses the default location only to store findings at rest that apply to the following types of resources:
- Resources that are not located in a supported data location for Security Command Center
- Resources that don't specify a location in their metadata
If you deploy Google Cloud resources in multiple locations or
multi-regions, then you might choose the Global (global
) location as your
default.
If you deploy resources only in a single location, then you might choose the multi-region that includes that location as your default.
Security Command Center resources and data residency
The following list explains how Security Command Center applies data residency controls to Security Command Center resources. If a resource isn't listed here, then it's not subject to data residency controls and is stored in accordance with the Google Cloud Platform Terms of Service.
- Assets
Asset metadata is stored by Cloud Asset Inventory and is not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.
For this reason, the Security Command Center Assets page in the Google Cloud console always displays all of the resources in your organization, folder, or project, regardless of their location or the location that you select in the Google Cloud console. However, when data residency is enabled, and you view an asset's details, the Assets page does not show information about findings that affect the asset.
- Attack exposure scores and attack paths
Attack exposure scores and attack paths are not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.
- BigQuery exports
BigQuery export configurations are subject to data residency controls.
EU, US, and Global
When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.
KSA
Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.
The Security Command Center API represents BigQuery export configurations as
BiqQueryExport
resources.- Continuous exports
Continuous export configurations are subject to data residency controls.
EU, US, and Global
When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.
KSA
Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.
The Security Command Center API represents continuous export configurations as
NotificationConfig
resources.- Findings
Findings are subject to data residency controls.
EU, US, and Global
When a finding is created, it resides in the Security Command Center location where the affected resource is located.
If an affected resource is located outside of a supported location or has no location identifier, then findings for the resource reside in your default location.
KSA
When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location.
When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location. However, the finding might reside in a different region at the time that it's created.
To help ensure that findings always reside in the KSA location, create all of your resources in the KSA location.
- Mute rules
Mute rule configurations are subject to data residency controls.
EU, US, and Global
When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.
KSA
Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.
The Security Command Center API represents mute rule configurations as
MuteConfig
resources.- Other Security Command Center resources and settings
Security Command Center resources and settings that aren't listed here, such as those that define which services are enabled or which tier is active, are not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.
Create or view data in a location
When data residency is enabled, you must specify a location when you create or view any data that's subject to data residency controls. Security Command Center automatically chooses a location for findings that it creates.
You can create or view data in only one location at a time. For example, if you
list findings in the Global (global
) location, then you won't see findings in
the European Union (eu
) location.
To create or view data that resides in a Security Command Center location, do the following:
Console
EU, US, and Global
In the Google Cloud console, go to Security Command Center.
To change the data location, click the location selector in the action bar.
A list of locations appears. Select the new location.
KSA
In the jurisdictional Google Cloud console for the KSA location, go to Security Command Center.
gcloud
EU, US, and Global
Use the --location=LOCATION
flag when you run the
Google Cloud CLI, as shown in the following example.
The
gcloud scc findings list
command lists an organization's findings in a specific location.
Before using any of the command data below, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization -
LOCATION
: the Security Command Center location to use, such aseu
; if data residency is not enabled, useglobal
Execute the
gcloud scc findings list
command:
Linux, macOS, or Cloud Shell
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
Windows (PowerShell)
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
Windows (cmd.exe)
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
The response contains a list of findings.
KSA
Configure the gcloud CLI to use the KSA location's regional service endpoint for the Security Command Center API:
gcloud config set api_endpoint_overrides/securitycenter \
https://securitycenter.me-central2.rep.googleapis.com/
You must then use the --location=sa
flag when you run the
Google Cloud CLI, as shown in the following example.
The
gcloud scc findings list
command lists an organization's findings in a specific location.
Before using any of the command data below, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization
Execute the
gcloud scc findings list
command:
Linux, macOS, or Cloud Shell
gcloud scc findings list ORGANIZATION_ID --location=sa
Windows (PowerShell)
gcloud scc findings list ORGANIZATION_ID --location=sa
Windows (cmd.exe)
gcloud scc findings list ORGANIZATION_ID --location=sa
The response contains a list of findings.
REST
EU, US, and Global
Use an API endpoint that includes locations/LOCATION
in the path, as shown in the following example.
The Security Command Center API's
organizations.sources.locations.findings.list
method lists an organization's findings in a specific location.
Before using any of the request data, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization -
LOCATION
: the Security Command Center location to use, such aseu
; if data residency is not enabled, useglobal
HTTP method and URL:
GET https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings
To send your request, expand one of these options:
The response contains a list of findings.
KSA
Use the regional service endpoint for the KSA location to call the API, as shown in the following example.
The Security Command Center API's
organizations.sources.locations.findings.list
method lists an organization's findings in a specific location.
Before using any of the request data, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization
HTTP method and URL:
GET https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings
To send your request, expand one of these options:
The response contains a list of findings.
What's next
- Learn how to activate Security Command Center with data residency enabled.
- Enable Security Command Center to stream findings to BigQuery.
- Set up continuous exports from Security Command Center to Pub/Sub.
- Create a mute rule for findings.