Planning for data residency

Data residency gives you more control over where Security Command Center stores your findings and other data. When you enable data residency, Security Command Center does the following:

If possible, Security Command Center stores findings in the Google Cloud multi-region where your resources are located.

Otherwise, findings are stored in a default location that you choose.
Security Command Center stores some types of configuration resources in a location that you choose.
In all other cases, Security Command Center stores your data globally.

This page provides essential information about using data residency. The following definitions apply to this page:

A location is a Google Cloud region or multi-region that corresponds to the location in which your data is stored.
The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.

Requirements for data residency

You can enable data residency only when you activate the Standard or Premium tier of Security Command Center in an organization for the first time. The Enterprise tier doesn't support data residency.

After data residency is enabled, you can't disable it or change your default location.

Data residency requires you to use the Security Command Center v2 API. If data residency is enabled, then you can't use earlier versions of the Security Command Center API.

When data residency is enabled, the following features, functions, and integrations with other products are not supported:

AI summaries
Web Security Scanner
Terraform

If you don't enable data residency when you activate Security Command Center, then the location of your Security Command Center resources is set to Global (global), and Security Command Center does not restrict the storage of your data to any particular location.

Supported data locations

Security Command Center supports only the following Google Cloud multi-regions as data locations:

European Union (eu): Data is stored in any Google Cloud region within member states of the European Union.
United States (us): Data is stored in any Google Cloud region in the United States.
Global (global): Data can be stored or processed in any Google Cloud region. If data residency is not enabled, then Global (global) is the only supported location.

For more information about Security Command Center locations, see Products available by location.

If you need to specify a default location for data residency that Security Command Center doesn't support, then contact your account representative or a Google Cloud sales specialist.

Default data location

When you enable Security Command Center data residency, you specify a default Security Command Center location. You can select any supported data location as your default location.

Security Command Center uses the default location only to store findings that apply to the following types of resources:

Resources that are not located in a supported data location for Security Command Center
Resources that don't specify a location in their metadata

If you deploy Google Cloud resources in multiple locations or multi-regions, then you might choose the Global (global) location as your default.

If you deploy resources only in a single location, then you might choose the multi-region that includes that location as your default.

Security Command Center resources and data residency

The following list explains how Security Command Center applies data residency controls to Security Command Center resources. If a resource isn't listed here, then it's stored globally.

Assets

Asset metadata is not subject to data residency control and is stored globally in Cloud Asset Inventory.

For this reason, the Security Command Center Assets page in the Google Cloud console always displays all of the resources in your organization, folder, or project, regardless of their location or the location that you select in the Google Cloud console. However, when data residency is enabled, and you view an asset's details, the Assets page does not show information about findings that affect the asset.

Attack exposure scores and attack paths

Attack exposure scores and attack paths are not subject to data residency controls and are stored globally.

BigQuery exports

BigQuery export configurations are subject to data residency controls. When you create them, you specify the location where they're stored. These configurations apply only to findings that reside in the same location.

The Security Command Center API represents BigQuery export configurations as BiqQueryExport resources.

Continuous exports

Continuous export configurations are subject to data residency controls. When you create them, you specify the location where they're stored. These configurations apply only to findings that reside in the same location.

The Security Command Center API represents continuous export configurations as NotificationConfig resources.

Findings

Findings are subject to data residency controls. When a finding is created, it's stored in the Security Command Center location where the affected resource is located.

If an affected resource is located outside of a supported location or has no location identifier, then findings for the resource are stored in your default location.

Mute rules

Mute rule configurations are subject to data residency controls. When you create them, you specify the location where they're stored. These configurations apply only to findings that reside in the same location.

The Security Command Center API represents mute rule configurations as MuteConfig resources.

Other Security Command Center resources and settings

Security Command Center resources and settings that aren't listed here, such as those that define which services are enabled or which tier is active, are not subject to data residency controls and are stored globally.

Create or view data in a location

When data residency is enabled, you must specify a location when you create or view any data that's subject to data residency controls. Security Command Center automatically chooses a location for findings that it creates.

You can create or view data in only one location at a time. For example, if you list findings in the Global (global) location, then you won't see findings in the European Union (eu) location.

To create or view data that resides in a Security Command Center location, do the following:

Console

In the Google Cloud console, go to Security Command Center.

Go to Security Command Center
To change the data location, click the location selector in the action bar.

A list of locations appears. Select the new location.

gcloud

Use the --location=LOCATION flag when you run the Google Cloud CLI, as shown in the following example.

The gcloud scc findings list command lists an organization's findings in a specific location.

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization
LOCATION: the location where the data is stored; for example, eu or global

Execute the gcloud scc findings list command:

Linux, macOS, or Cloud Shell

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

Windows (PowerShell)

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

Windows (cmd.exe)

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

The response contains a list of findings.

REST

Use an API endpoint that includes locations/LOCATION in the path, as shown in the following example.

The Security Command Center API's organizations.sources.locations.findings.list method lists an organization's findings in a specific location.

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization
LOCATION: the location where the data is stored; for example, eu or global

HTTP method and URL:

GET https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings" | Select-Object -Expand Content

The response contains a list of findings.

What's next

Learn how to activate Security Command Center with data residency enabled.
Enable Security Command Center to stream findings to BigQuery.
Set up continuous exports from Security Command Center to Pub/Sub.
Create a mute rule for findings.