Planning for data residency

Data residency gives you more control over where your Security Command Center data is located. This page provides essential information about how Security Command Center supports data residency.

The following definitions apply to this page:

A location is a Google Cloud region or multi-region that corresponds to the location in which your data resides.
The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.

Supported data locations

Security Command Center supports only the following Google Cloud multi-regions as data locations:

European Union (eu): Data resides in any Google Cloud region within member states of the European Union.
United States (us): Data resides in any Google Cloud region in the United States.
Kingdom of Saudi Arabia (KSA) (sa): Data resides in any Google Cloud region in KSA.
Global (global): Data can reside in any Google Cloud region. If data residency is not enabled, then Global (global) is the only supported location.

For more information about Security Command Center locations, see Products available by location.

If you need to specify a default location for data residency that Security Command Center doesn't support, then contact your account representative or a Google Cloud sales specialist.

Requirements for data residency

You can enable data residency only when you activate the Standard or Premium tier of Security Command Center in an organization for the first time. The Enterprise tier doesn't support data residency.

After data residency is enabled, you can't disable it or change your default location. Also, Gemini summaries of findings and attack paths are not available.

Data residency requires you to use the Security Command Center v2 API. If data residency is enabled, then you can't use earlier versions of the Security Command Center API.

If you don't enable data residency when you activate Security Command Center, then the location of your Security Command Center resources is set to Global (global), and Security Command Center does not restrict your data to any particular location.

Regional URLs

For the Kingdom of Saudi Arabia (KSA) location, you must use location-specific URLs to access the jurisdictional Google Cloud console, as well as some methods and commands in the gcloud CLI, the Cloud Client Libraries, and the Security Command Center API:

Console

To access Security Command Center, use the jurisdictional Google Cloud console, https://console.sa.cloud.google.com/.

The jurisdictional Google Cloud console lets you access Security Command Center data in the KSA and Global locations.

gcloud

To access data in the KSA location, the following gcloud CLI command groups require you to use the regional service endpoint for the Security Command Center API:

gcloud scc bqexports: manages BigQuery export configurations
gcloud scc findings: manages findings
gcloud scc muteconfigs: manages mute rule configurations
gcloud scc notifications: manages continuous export configurations

In addition, the gcloud scc operations command group is not available for long-running operations in the KSA location. For example, you can't check the status of a long-running operation to bulk-mute findings.

For all other gcloud scc command groups, you must use the default service endpoint for the Security Command Center API.

To switch to the regional service endpoint, run the following command:

gcloud config set api_endpoint_overrides/securitycenter \
    https://securitycenter.me-central2.rep.googleapis.com/

To switch to the default service endpoint, run the following command:

gcloud config unset api_endpoint_overrides/securitycenter

If you prefer, you can create a named configuration for gcloud CLI that uses the regional service endpoint, then switch to that named configuration before you run Security Command Center commands in the KSA location. To switch to a named configuration, run the gcloud config configurations activate command.

REST

For the KSA location, the Security Command Center API uses the regional service endpoint https://securitycenter.me-central2.rep.googleapis.com/.

To access the following REST API resource types in the KSA location, you must use the regional service endpoint for Security Command Center:

In addition, you can't call any methods for organizations.operations resources in the KSA location. For example, you can't check the status of a long-running operation to bulk-mute findings.

For all other resource types, you must use the default service endpoint for the Security Command Center API, https://securitycenter.googleapis.com/.

Client Libraries

To manage the following resource types in the KSA location, you must override the default service endpoint when you create a client for Security Command Center:

Use the endpoint https://securitycenter.me-central2.rep.googleapis.com for these resource types.

For all other resource types, you must use the default service endpoint for the Security Command Center API, https://securitycenter.googleapis.com.

To learn how to override the service endpoint in the Cloud Client Libraries, see the instructions for Go and Java.

When data residency is enforced

When you enable data residency for Security Command Center, some Security Command Center data is kept within a specified location when it's in one of the following states:

At rest: All supported locations
In use: KSA (sa) only
In transit: KSA (sa) only

Data residency at rest

Data is at rest when all of the following criteria are met:

The data is for a resource type that is subject to data residency controls.
You have not requested an operation that requires the data to be accessed.
The data is not being accessed in a way that produces audit logs or Access Transparency logs.

When you enable data residency, Security Command Center does the following:

EU, US, and Global

If possible, when findings data is at rest, Security Command Center stores it in the Google Cloud multi-region where your resources are located.

Otherwise, when findings data is at rest, it's stored in the default location that you choose.
When specific types of configuration resources are at rest, Security Command Center stores them in the default location that you choose.
In all other cases, when data is at rest, Security Command Center stores it globally.

KSA

When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location at rest.
When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location at rest. However, the finding might temporarily reside in a different region at rest.
When you create specific types of configuration resources in the KSA location, and those resources are at rest, they reside in the KSA location.
In all other cases, when data is at rest, Security Command Center stores it globally.

Data residency in use

Data is in use when all of the following criteria are met:

The data is for a resource type that is subject to data residency controls.
Google Cloud is completing an operation that was initiated at your request—for example, because your application called the Security Command Center API)—or an operation that produces audit logs or Access Transparency logs.
It's possible for Google Cloud to operate on the data in a way that requires knowledge of the data's meaning—for example, by updating specific fields in a configuration resource. This includes any case where data is unencrypted in memory.

When you enable data residency, Security Command Center does the following:

EU, US, and Global

In the EU, US, and Global locations, data in use is not subject to data residency controls.

KSA

When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location in use.
When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location in use. However, the finding might temporarily reside in a different region in use.
When you create specific types of configuration resources in the KSA location, and those resources are in use, they reside in the KSA location.
In all other cases, when data is in use, Security Command Center stores it globally.

Data residency in transit

Data is in transit when all of the following criteria are met:

The data is for a resource type that is subject to data residency controls.
The data is being transmitted, with encryption, within Google's network, or the data is in memory, with encryption, for the purpose of transmitting it within Google's network.

When you enable data residency, Security Command Center does the following:

EU, US, and Global

In the EU, US, and Global locations, data in transit is not subject to data residency controls.

KSA

When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location in transit.
When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location in transit. However, the finding might temporarily reside in a different region in transit.
When you create specific types of configuration resources in the KSA location, and those resources are in transit, they reside in the KSA location.
In all other cases, when data is in transit, Security Command Center stores it globally.

Default data location

For the EU, US, and Global locations, when you enable Security Command Center data residency, you specify a default Security Command Center location. You can select any supported data location as your default location.

Security Command Center uses the default location only to store findings at rest that apply to the following types of resources:

Resources that are not located in a supported data location for Security Command Center
Resources that don't specify a location in their metadata

If you deploy Google Cloud resources in multiple locations or multi-regions, then you might choose the Global (global) location as your default.

If you deploy resources only in a single location, then you might choose the multi-region that includes that location as your default.

Security Command Center resources and data residency

The following list explains how Security Command Center applies data residency controls to Security Command Center resources. If a resource isn't listed here, then it's not subject to data residency controls and resides globally.

Assets

Asset metadata is not subject to data residency control and resides globally in Cloud Asset Inventory.

For this reason, the Security Command Center Assets page in the Google Cloud console always displays all of the resources in your organization, folder, or project, regardless of their location or the location that you select in the Google Cloud console. However, when data residency is enabled, and you view an asset's details, the Assets page does not show information about findings that affect the asset.

Attack exposure scores and attack paths

Attack exposure scores and attack paths are not subject to data residency controls and reside globally.

BigQuery exports

BigQuery export configurations are subject to data residency controls.

EU, US, and Global

When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.

KSA

Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.

The Security Command Center API represents BigQuery export configurations as BiqQueryExport resources.

Continuous exports

Continuous export configurations are subject to data residency controls.

EU, US, and Global

When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.

KSA

Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.

The Security Command Center API represents continuous export configurations as NotificationConfig resources.

Findings

Findings are subject to data residency controls.

EU, US, and Global

When a finding is created, it resides in the Security Command Center location where the affected resource is located.

If an affected resource is located outside of a supported location or has no location identifier, then findings for the resource reside in your default location.

KSA

When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location.

When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location. However, the finding might reside in a different region at the time that it's created.

To help ensure that findings always reside in the KSA location, create all of your resources in the KSA location.

Mute rules

Mute rule configurations are subject to data residency controls.

EU, US, and Global

When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.

KSA

Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.

The Security Command Center API represents mute rule configurations as MuteConfig resources.

Other Security Command Center resources and settings

Security Command Center resources and settings that aren't listed here, such as those that define which services are enabled or which tier is active, are not subject to data residency controls and reside globally.

Create or view data in a location

When data residency is enabled, you must specify a location when you create or view any data that's subject to data residency controls. Security Command Center automatically chooses a location for findings that it creates.

You can create or view data in only one location at a time. For example, if you list findings in the Global (global) location, then you won't see findings in the European Union (eu) location.

To create or view data that resides in a Security Command Center location, do the following:

Console

EU, US, and Global

In the Google Cloud console, go to Security Command Center.

Go to Security Command Center
To change the data location, click the location selector in the action bar.

A list of locations appears. Select the new location.

KSA

In the jurisdictional Google Cloud console for the KSA location, go to Security Command Center.

Go to Security Command Center

gcloud

EU, US, and Global

Use the --location=LOCATION flag when you run the Google Cloud CLI, as shown in the following example.

The gcloud scc findings list command lists an organization's findings in a specific location.

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization
LOCATION: the location where the data is stored; for example, eu or global

Execute the gcloud scc findings list command:

Linux, macOS, or Cloud Shell

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

Windows (PowerShell)

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

Windows (cmd.exe)

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

The response contains a list of findings.

KSA

Configure the gcloud CLI to use the KSA location's regional service endpoint for the Security Command Center API:

gcloud config set api_endpoint_overrides/securitycenter \
    https://securitycenter.me-central2.rep.googleapis.com/

You must then use the --location=sa flag when you run the Google Cloud CLI, as shown in the following example.

The gcloud scc findings list command lists an organization's findings in a specific location.

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc findings list command:

Linux, macOS, or Cloud Shell

gcloud scc findings list ORGANIZATION_ID --location=sa

Windows (PowerShell)

gcloud scc findings list ORGANIZATION_ID --location=sa

Windows (cmd.exe)

gcloud scc findings list ORGANIZATION_ID --location=sa

The response contains a list of findings.

REST

EU, US, and Global

Use an API endpoint that includes locations/LOCATION in the path, as shown in the following example.

The Security Command Center API's organizations.sources.locations.findings.list method lists an organization's findings in a specific location.

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization
LOCATION: the location where the data is stored; for example, eu or global

HTTP method and URL:

GET https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings" | Select-Object -Expand Content

The response contains a list of findings.

KSA

Use the regional service endpoint for the KSA location to call the API, as shown in the following example.

The Security Command Center API's organizations.sources.locations.findings.list method lists an organization's findings in a specific location.

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings" | Select-Object -Expand Content

The response contains a list of findings.

What's next

Learn how to activate Security Command Center with data residency enabled.
Enable Security Command Center to stream findings to BigQuery.
Set up continuous exports from Security Command Center to Pub/Sub.
Create a mute rule for findings.