Security Command Center API を使用すると、組織での Security Command Center のアセット検出を有効または無効に変更できます。このガイドでは、組織の現在の構成を取得し、API を使用してアセット検出を有効にする方法について説明します。
Security Command Center API の非推奨のアセット機能、または Google Cloud CLI のアセット関連の Security Command Center コマンドを使用している場合を除き、アセット検出は必須ではありません。アセット検出は、[アセット] ページに表示されるアセットには影響しません。
Security Command Center の IAM ロールは、組織レベル、フォルダレベル、またはプロジェクト レベルで付与できます。検出結果、アセット、セキュリティ ソースを表示、編集、作成、更新する権限は、アクセス権が付与されているレベルによって異なります。Security Command Center のロールの詳細については、アクセス制御をご覧ください。
始める前に
アセット ディスカバリを構成する前に、サービス アカウントと SDK を設定する必要があります。
組織設定の構成の取得
Python
from google.cloud import securitycenter
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = client.organization_settings_path(organization_id)
org_settings = client.get_organization_settings(request={"name": org_settings_name})
print(org_settings)Java
static OrganizationSettings getOrganizationSettings(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to get OrganizationSettings for.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
GetOrganizationSettingsRequest.Builder request =
GetOrganizationSettingsRequest.newBuilder()
.setName(organizationName.toString() + "/organizationSettings");
// Call the API.
OrganizationSettings response = client.getOrganizationSettings(request.build());
System.out.println("Organization Settings:");
System.out.println(response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}Go
import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)
// getOrgSettings gets and prints the current organization asset discovery
// settings to w. orgID is the numeric Organization ID.
func getOrgSettings(w io.Writer, orgID string) error {
// orgID := "12321311"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %w", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
req := &securitycenterpb.GetOrganizationSettingsRequest{
Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
}
settings, err := client.GetOrganizationSettings(ctx, req)
if err != nil {
return fmt.Errorf("GetOrganizationSettings: %w", err)
}
fmt.Fprintf(w, "Retrieved Settings for: %s\n", settings.Name)
fmt.Fprintf(w, "Asset Discovery on? %v", settings.EnableAssetDiscovery)
return nil
}
Node.js
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function getOrgSettings() {
// organizationId is the numeric ID of the organization.
/*
* TODO(developer): Uncomment the following lines
*/
// const organizaionId = "111122222444";
const orgName = client.organizationPath(organizationId);
const [settings] = await client.getOrganizationSettings({
name: `${orgName}/organizationSettings`,
});
console.log('Current settings: %j', settings);
}
getOrgSettings();アセット ディスカバリの有効化
次の API 呼び出しでは、フィールド マスクを使用しているため、アセット ディスカバリの設定のみがオンまたはオフにされています。
Python
from google.cloud import securitycenter
from google.protobuf import field_mask_pb2
# Create the client
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = "organizations/{org_id}/organizationSettings".format(
org_id=organization_id
)
# Only update the enable_asset_discovery_value (leave others untouched).
field_mask = field_mask_pb2.FieldMask(paths=["enable_asset_discovery"])
# Call the service.
updated = client.update_organization_settings(
request={
"organization_settings": {
"name": org_settings_name,
"enable_asset_discovery": True,
},
"update_mask": field_mask,
}
)
print(f"Asset Discovery Enabled? {updated.enable_asset_discovery}")Java
static OrganizationSettings updateOrganizationSettings(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to update OrganizationSettings for.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
OrganizationSettings organizationSettings =
OrganizationSettings.newBuilder()
.setName(organizationName.toString() + "/organizationSettings")
.setEnableAssetDiscovery(true)
.build();
FieldMask updateMask = FieldMask.newBuilder().addPaths("enable_asset_discovery").build();
UpdateOrganizationSettingsRequest.Builder request =
UpdateOrganizationSettingsRequest.newBuilder()
.setOrganizationSettings(organizationSettings)
.setUpdateMask(updateMask);
// Call the API.
OrganizationSettings response = client.updateOrganizationSettings(request.build());
System.out.println("Organization Settings have been updated:");
System.out.println(response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}Go
import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
"google.golang.org/genproto/protobuf/field_mask"
)
// Turns on asset discovery for orgID and prints out updated settings to w.
// settings. orgID is the numeric Organization ID.
func enableAssetDiscovery(w io.Writer, orgID string) error {
// orgID := "12321311"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %w", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
req := &securitycenterpb.UpdateOrganizationSettingsRequest{
OrganizationSettings: &securitycenterpb.OrganizationSettings{
Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
EnableAssetDiscovery: true,
},
// Only update the asset discovery setting.
UpdateMask: &field_mask.FieldMask{
Paths: []string{"enable_asset_discovery"},
},
}
settings, err := client.UpdateOrganizationSettings(ctx, req)
if err != nil {
return fmt.Errorf("UpdateOrganizationSettings: %w", err)
}
fmt.Fprintf(w, "Updated Settings for: %s\n", settings.Name)
fmt.Fprintf(w, "Asset discovery on? %v\n", settings.EnableAssetDiscovery)
return nil
}
Node.js
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function updateOrgSettings() {
// organizationId is the numeric ID of the organization.
/*
* TODO(developer): Uncomment the following lines
*/
// const organizationId = "111122222444";
const orgName = client.organizationPath(organizationId);
const [newSettings] = await client.updateOrganizationSettings({
organizationSettings: {
name: `${orgName}/organizationSettings`,
enableAssetDiscovery: true,
},
// Only update the enableAssetDiscovery field.
updateMask: {paths: ['enable_asset_discovery']},
});
console.log('New settings: %j', newSettings);
}
updateOrgSettings();