Security Command Center API 可让您控制是否为组织开启或关闭 Security Command Center 的资产发现功能。本指南介绍了如何获取组织的当前配置设置,以及如何使用 API 开启资产发现功能。
除非您使用的是 Security Command Center API 的已弃用资产功能或 Google Cloud CLI 中与资产相关的 Security Command Center 命令,否则不需要资产发现功能。资产发现 不会影响资产页面上显示的资产。
Security Command Center 的 IAM 角色可以在组织、文件夹或项目级层授予。您能否查看、修改、创建或更新发现结果、资产和安全来源,取决于您获授予的访问权限级别。如需详细了解 Security Command Center 角色,请参阅访问权限控制。
准备工作
在配置资产发现之前,您需要使用 Security Command Center API 进行身份验证。
获取组织设置配置
Python
from google.cloud import securitycenter
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = client.organization_settings_path(organization_id)
org_settings = client.get_organization_settings(request={"name": org_settings_name})
print(org_settings)
Java
static OrganizationSettings getOrganizationSettings(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to get OrganizationSettings for.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
GetOrganizationSettingsRequest.Builder request =
GetOrganizationSettingsRequest.newBuilder()
.setName(organizationName.toString() + "/organizationSettings");
// Call the API.
OrganizationSettings response = client.getOrganizationSettings(request.build());
System.out.println("Organization Settings:");
System.out.println(response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}
Go
import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)
// getOrgSettings gets and prints the current organization asset discovery
// settings to w. orgID is the numeric Organization ID.
func getOrgSettings(w io.Writer, orgID string) error {
// orgID := "12321311"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %w", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
req := &securitycenterpb.GetOrganizationSettingsRequest{
Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
}
settings, err := client.GetOrganizationSettings(ctx, req)
if err != nil {
return fmt.Errorf("GetOrganizationSettings: %w", err)
}
fmt.Fprintf(w, "Retrieved Settings for: %s\n", settings.Name)
fmt.Fprintf(w, "Asset Discovery on? %v", settings.EnableAssetDiscovery)
return nil
}
Node.js
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function getOrgSettings() {
// organizationId is the numeric ID of the organization.
/*
* TODO(developer): Uncomment the following lines
*/
// const organizaionId = "111122222444";
const orgName = client.organizationPath(organizationId);
const [settings] = await client.getOrganizationSettings({
name: `${orgName}/organizationSettings`,
});
console.log('Current settings: %j', settings);
}
getOrgSettings();
开启资产发现功能
以下 API 调用使用字段掩码,因此只对资产发现功能进行设置开启或关闭。
Python
from google.cloud import securitycenter
from google.protobuf import field_mask_pb2
# Create the client
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = "organizations/{org_id}/organizationSettings".format(
org_id=organization_id
)
# Only update the enable_asset_discovery_value (leave others untouched).
field_mask = field_mask_pb2.FieldMask(paths=["enable_asset_discovery"])
# Call the service.
updated = client.update_organization_settings(
request={
"organization_settings": {
"name": org_settings_name,
"enable_asset_discovery": True,
},
"update_mask": field_mask,
}
)
print(f"Asset Discovery Enabled? {updated.enable_asset_discovery}")
Java
static OrganizationSettings updateOrganizationSettings(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to update OrganizationSettings for.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
OrganizationSettings organizationSettings =
OrganizationSettings.newBuilder()
.setName(organizationName.toString() + "/organizationSettings")
.setEnableAssetDiscovery(true)
.build();
FieldMask updateMask = FieldMask.newBuilder().addPaths("enable_asset_discovery").build();
UpdateOrganizationSettingsRequest.Builder request =
UpdateOrganizationSettingsRequest.newBuilder()
.setOrganizationSettings(organizationSettings)
.setUpdateMask(updateMask);
// Call the API.
OrganizationSettings response = client.updateOrganizationSettings(request.build());
System.out.println("Organization Settings have been updated:");
System.out.println(response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}
Go
import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
"google.golang.org/genproto/protobuf/field_mask"
)
// Turns on asset discovery for orgID and prints out updated settings to w.
// settings. orgID is the numeric Organization ID.
func enableAssetDiscovery(w io.Writer, orgID string) error {
// orgID := "12321311"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %w", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
req := &securitycenterpb.UpdateOrganizationSettingsRequest{
OrganizationSettings: &securitycenterpb.OrganizationSettings{
Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
EnableAssetDiscovery: true,
},
// Only update the asset discovery setting.
UpdateMask: &field_mask.FieldMask{
Paths: []string{"enable_asset_discovery"},
},
}
settings, err := client.UpdateOrganizationSettings(ctx, req)
if err != nil {
return fmt.Errorf("UpdateOrganizationSettings: %w", err)
}
fmt.Fprintf(w, "Updated Settings for: %s\n", settings.Name)
fmt.Fprintf(w, "Asset discovery on? %v\n", settings.EnableAssetDiscovery)
return nil
}
Node.js
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function updateOrgSettings() {
// organizationId is the numeric ID of the organization.
/*
* TODO(developer): Uncomment the following lines
*/
// const organizationId = "111122222444";
const orgName = client.organizationPath(organizationId);
const [newSettings] = await client.updateOrganizationSettings({
organizationSettings: {
name: `${orgName}/organizationSettings`,
enableAssetDiscovery: true,
},
// Only update the enableAssetDiscovery field.
updateMask: {paths: ['enable_asset_discovery']},
});
console.log('New settings: %j', newSettings);
}
updateOrgSettings();