Mengelola sumber keamanan menggunakan Security Command Center API

Panduan ini akan menuntun Anda menggunakan Security Command Center API untuk membuat sumber guna membuat temuan. Saat Anda menambahkan sumber, Security Command Center akan membuat sumber yang sesuai dan menetapkan izin yang relevan kepada sumber tersebut.

Peran IAM untuk Security Command Center dapat diberikan di tingkat organisasi, folder, atau project. Kemampuan Anda untuk melihat, mengedit, membuat, atau memperbarui temuan, aset, dan sumber keamanan bergantung pada tingkat akses yang diberikan kepada Anda. Untuk mempelajari peran Security Command Center lebih lanjut, lihat Kontrol akses.

Sebelum memulai

Sebelum menyiapkan sumber, Anda perlu Menyiapkan akun layanan. Jika Anda memanggil Security Command Center API secara langsung, dapatkan token pemilik.

Membuat sumber

Contoh ini menunjukkan cara membuat sumber dengan nama tampilan dan deskripsi tertentu yang digunakan di dasbor Security Command Center.

Server akan otomatis menetapkan ID ke sumber.

Python

from google.cloud import securitycenter

client = securitycenter.SecurityCenterClient()
# organization_id is the numeric ID of the organization. e.g.:
# organization_id = "111122222444"
org_name = f"organizations/{organization_id}"

created = client.create_source(
    request={
        "parent": org_name,
        "source": {
            "display_name": "Customized Display Name",
            "description": "A new custom source that does X",
        },
    }
)
print(f"Created Source: {created.name}")

Java

static Source createSource(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to create a source in an organization.
    // OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
    Source source =
        Source.newBuilder()
            .setDisplayName("Customized Display Name")
            .setDescription("A new custom source that does X")
            .build();

    CreateSourceRequest.Builder request =
        CreateSourceRequest.newBuilder().setParent(organizationName.toString()).setSource(source);

    // Call the API.
    Source response = client.createSource(request.build());

    System.out.println("Created Source: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// createSource creates a new source for organization orgID. orgID is
// the numeric identifier of the organization
func createSource(w io.Writer, orgID string) error {
	// orgID := "12321311"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.CreateSourceRequest{
		Source: &securitycenterpb.Source{
			DisplayName: "Customized Display Name",
			Description: "A new custom source that does X",
		},
		Parent: fmt.Sprintf("organizations/%s", orgID),
	}
	source, err := client.CreateSource(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateSource: %w", err)
	}

	fmt.Fprintf(w, "New source created: %s\n", source.Name)
	fmt.Fprintf(w, "Display Name: %s\n", source.DisplayName)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// organizationId is numeric organization identifier.
/*
 * TODO(developer): Uncomment the following lines
 */
// const organizationId = "1234567777";
async function createSource() {
  const [source] = await client.createSource({
    source: {
      displayName: 'Customized Display Name',
      description: 'A new custom source that does X',
    },
    parent: client.organizationPath(organizationId),
  });
  console.log('New Source: %j', source);
}
createSource();

API

Di API, buat permintaan ke metode organizations.sources.create. Isi permintaan berisi instance Source.

  POST https://securitycenter.googleapis.com/API_VERSION/organizations/ORGANIZATION_ID/sources -d

  {
    "name": "SOURCE_NAME",
    "description": "SOURCE_DESCRIPTION",
    "displayName": "DISPLAY_NAME"
  }

Ganti kode berikut:

API_VERSION: versi API yang Anda targetkan.
ORGANIZATION_ID: ID organisasi Anda.
SOURCE_NAME: nama sumber.
SOURCE_DESCRIPTION: deskripsi sumber (maksimum: 1.024 karakter).
DISPLAY_NAME: nama tampilan sumber (antara satu dan 64 karakter).

Sumber tidak akan terlihat di dasbor Security Command Center hingga sumber tersebut menghasilkan temuan. Anda dapat memverifikasi bahwa sumber tersebut dibuat dengan mengikuti petunjuk dalam Mendapatkan sumber tertentu.

Memperbarui sumber

Anda dapat memperbarui nama tampilan dan deskripsi sumber setelah dibuat. Anda juga dapat menggunakan mask kolom untuk memperbarui satu kolom saja. Contoh di bawah ini menggunakan mask kolom untuk memperbarui nama tampilan saja, tanpa mengubah deskripsi.

Python

from google.cloud import securitycenter
from google.protobuf import field_mask_pb2

client = securitycenter.SecurityCenterClient()

# Field mask to only update the display name.
field_mask = field_mask_pb2.FieldMask(paths=["display_name"])

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
updated = client.update_source(
    request={
        "source": {"name": source_name, "display_name": "Updated Display Name"},
        "update_mask": field_mask,
    }
)
print(f"Updated Source: {updated}")

Java

static Source updateSource(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to update a source.
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");
    Source source =
        Source.newBuilder()
            .setDisplayName("Updated Display Name")
            .setName(sourceName.toString())
            .build();
    FieldMask updateMask = FieldMask.newBuilder().addPaths("display_name").build();

    UpdateSourceRequest.Builder request =
        UpdateSourceRequest.newBuilder().setSource(source).setUpdateMask(updateMask);

    // Call the API.
    Source response = client.updateSource(request.build());

    System.out.println("Updated Source: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"google.golang.org/genproto/protobuf/field_mask"
)

// updateSource changes a sources display name to "New Display Name" for a
// specific source. sourceName is the full resource name of the source to be
// updated.
func updateSource(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.UpdateSourceRequest{
		Source: &securitycenterpb.Source{
			Name:        sourceName,
			DisplayName: "New Display Name",
		},
		// Only update the display name field (if not set all mutable
		// fields of the source will be updated.
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"display_name"},
		},
	}
	source, err := client.UpdateSource(ctx, req)
	if err != nil {
		return fmt.Errorf("UpdateSource: %w", err)
	}
	fmt.Fprintf(w, "Source Name: %s, ", source.Name)
	fmt.Fprintf(w, "Display name: %s, ", source.DisplayName)
	fmt.Fprintf(w, "Description: %s\n", source.Description)

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// sourceName is the full resource path to the update target.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";
async function updateSource() {
  const [source] = await client.updateSource({
    source: {
      name: sourceName,
      displayName: 'New Display Name',
    },
    // Only update the display name field (if not set all mutable
    // fields of the source will be updated.
    updateMask: {paths: ['display_name']},
  });
  console.log('Updated source: %j', source);
}

updateSource();

API

Di API, buat permintaan ke metode organizations.sources.patch. Isi permintaan berisi instance Source.

  PATCH https://securitycenter.googleapis.com/API_VERSION/organizations/ORGANIZATION_ID/sources/SOURCE_ID?updateMask=displayName -d

  {
    "description": "SOURCE_DESCRIPTION",
    "displayName": "DISPLAY_NAME",
  }

Ganti kode berikut:

API_VERSION: versi API yang Anda targetkan.
ORGANIZATION_ID: ID organisasi Anda.
SOURCE_ID: ID sumber. Untuk petunjuk tentang cara mengambil ID sumber, lihat Mendapatkan ID sumber.
SOURCE_DESCRIPTION: deskripsi sumber (maks. 1.024 karakter).
DISPLAY_NAME: nama tampilan sumber (antara satu dan 64 karakter).

Menetapkan kebijakan IAM pada sumber

Setelah membuat sumber, perbarui kebijakan Identity and Access Management (IAM) untuk mengizinkan akses.

Python

from google.cloud import securitycenter
from google.iam.v1 import policy_pb2

client = securitycenter.SecurityCenterClient()

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Get the old policy so we can do an incremental update.
old_policy = client.get_iam_policy(request={"resource": source_name})
print(f"Old Policy: {old_policy}")

# Setup a new IAM binding.
binding = policy_pb2.Binding()
binding.role = "roles/securitycenter.findingsEditor"
# user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).
# user_mail = user@somedomain.com
binding.members.append(f"user:{user_email}")

# Setting the e-tag avoids over-write existing policy
updated = client.set_iam_policy(
    request={
        "resource": source_name,
        "policy": {"etag": old_policy.etag, "bindings": [binding]},
    }
)

print(f"Updated Policy: {updated}")

Java

static Policy setIamPolicySource(SourceName sourceName, String userEmail) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // userEmail = "someuser@domain.com"
    // Set up IAM Policy for the user userMail to use the role findingsEditor.
    // The user must be a valid google account.
    Policy oldPolicy = client.getIamPolicy(sourceName.toString());
    Binding bindings =
        Binding.newBuilder()
            .setRole("roles/securitycenter.findingsEditor")
            .addMembers("user:" + userEmail)
            .build();
    Policy policy = oldPolicy.toBuilder().addBindings(bindings).build();

    // Start setting up a request to set IAM policy for a source.
    // SourceName sourceName = SourceName.of("123234324", "423432321");
    SetIamPolicyRequest.Builder request =
        SetIamPolicyRequest.newBuilder().setPolicy(policy).setResource(sourceName.toString());

    // Call the API.
    Policy response = client.setIamPolicy(request.build());

    System.out.println("Policy: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	iam "google.golang.org/genproto/googleapis/iam/v1"
)

// setSourceIamPolicy grants user roles/securitycenter.findingsEditor permision
// for a source. sourceName is the full resource name of the source to be
// updated. user is an email address that IAM can grant permissions to.
func setSourceIamPolicy(w io.Writer, sourceName string, user string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// user := "someuser@some_domain.com
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	// Retrieve the existing policy so we can update only a specific
	// field.
	existing, err := client.GetIamPolicy(ctx, &iam.GetIamPolicyRequest{
		Resource: sourceName,
	})
	if err != nil {
		return fmt.Errorf("GetIamPolicy(%s): %w", sourceName, err)
	}

	req := &iam.SetIamPolicyRequest{
		Resource: sourceName,
		Policy: &iam.Policy{
			// Enables partial update of existing policy
			Etag: existing.Etag,
			Bindings: []*iam.Binding{{
				Role: "roles/securitycenter.findingsEditor",
				// New IAM Binding for the user.
				Members: []string{fmt.Sprintf("user:%s", user)},
			},
			},
		},
	}
	policy, err := client.SetIamPolicy(ctx, req)
	if err != nil {
		return fmt.Errorf("SetIamPolicy(%s, %v): %w", sourceName, req.Policy, err)
	}

	fmt.Fprint(w, "Bindings:\n")
	for _, binding := range policy.Bindings {
		for _, member := range binding.Members {
			fmt.Fprintf(w, "Principal: %s Role: %s\n", member, binding.Role)
		}
	}
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function setSourceIamPolicy() {
  // sourceName is the full resource name of the source to be
  // updated.
  // user is an email address that IAM can grant permissions to.
  /*
   * TODO(developer): Uncomment the following lines
   */
  // const sourceName = "organizations/111122222444/sources/1234";
  // const user = "someuser@domain.com";
  const [existingPolicy] = await client.getIamPolicy({
    resource: sourceName,
  });

  const [updatedPolicy] = await client.setIamPolicy({
    resource: sourceName,
    policy: {
      // Enables partial update of existing policy
      etag: existingPolicy.etag,
      bindings: [
        {
          role: 'roles/securitycenter.findingsEditor',
          // New IAM Binding for the user.
          members: [`user:${user}`],
        },
      ],
    },
  });
  console.log('Updated policy: %j', updatedPolicy);
}
setSourceIamPolicy();

API

Di API, buat permintaan ke metode organizations.sources.setIamPolicy. Isi permintaan mencakup instance Kebijakan.

  POST https://securitycenter.googleapis.com/API_VERSION/organizations/ORGANIZATION_ID/sources/SOURCE_ID:setIamPolicy -d

  {
    "version": POLICY_FORMAT,
    "bindings": [
      {
        "role": IAM_ROLE,
        "members": [
          IAM_EMAIL
        ]
      }
  ],
    "auditConfigs": [
      {
        "service": "SERVICE",
          "auditLogConfigs": [
            {
              "logType": "LOG_PERMISSION",
              "exemptedMembers": [
                "user:EXEMPT_EMAIL"
                ]
            }
          ]
       }
    ],
    "etag": ETAG
  }

Ganti kode berikut:

API_VERSION: versi API yang Anda targetkan.
ORGANIZATION_ID: ID organisasi Anda.
SOURCE_ID: ID sumber. Lihat Mendapatkan sumber tertentu untuk mengetahui petunjuk cara mengambil ID sumber.
POLICY_FORMAT: 0, 1, atau 3 untuk menentukan format kebijakan.
IAM_ROLE: peran IAM yang diberikan.
IAM_USER_EMAIL: alamat email untuk pengguna yang Anda beri peran.
SERVICE: layanan Google Cloud tempat Anda mengaktifkan logging audit.
LOG_PERMISSION: izin log yang diberikan: ADMIN_READ, DATA_READ, atau DATA_WRITE.
EXEMPT_EMAIL: identitas yang tidak menyebabkan logging untuk jenis izin.
ETAG: string yang ditampilkan sebagai respons terhadap getIamPolicy yang harus disertakan untuk membantu mencegah update kebijakan secara bersamaan agar tidak menimpa satu sama lain.

Mendapatkan sumber tertentu

Pastikan sumber dibuat atau diupdate secara tepat dengan membuat kueri Security Command Center dengan nama resource absolut sumber:

gcloud

  # Note: For GCloud you can use either full resource name or just ID Flags.
  # In this example, we are using ID Flags.
  # ORGANIZATION_ID=12344321
  # SOURCE_ID=43211234

  gcloud scc sources describe $ORGANIZATION_ID --source=$SOURCE_ID

Untuk contoh lainnya, jalankan:

  gcloud scc sources describe --help

Python

from google.cloud import securitycenter

client = securitycenter.SecurityCenterClient()

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
source = client.get_source(request={"name": source_name})

print(f"Source: {source}")

Java

static Source getSource(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to get a source.
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");
    GetSourceRequest.Builder request =
        GetSourceRequest.newBuilder().setName(sourceName.toString());

    // Call the API.
    Source response = client.getSource(request.build());

    System.out.println("Source: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// getSource retrieves a source by its resource name and print it to w.
// sourceName is the full resource name of the source to be updated.
func getSource(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.GetSourceRequest{
		Name: sourceName,
	}
	source, err := client.GetSource(ctx, req)
	if err != nil {
		return fmt.Errorf("GetSource: %w", err)
	}
	fmt.Fprintf(w, "Source: %v\n", source.Name)
	fmt.Fprintf(w, "Display Name: %v\n", source.DisplayName)
	fmt.Fprintf(w, "Description: %v\n", source.Description)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// sourceName is the full resource name of the source to be retrieved.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";
async function getSource() {
  const [source] = await client.getSource({name: sourceName});
  console.log('Source: %j', source);
}

getSource();

API

Di API, buat permintaan ke metode organizations.sources.get. Isi permintaan kosong.

  GET https://securitycenter.googleapis.com/API_VERSION/organizations/ORGANIZATION_ID/sources/SOURCE_ID

Ganti kode berikut:

API_VERSION: versi API yang Anda targetkan.
ORGANIZATION_ID: ID organisasi Anda.
SOURCE_ID: ID sumber.

Sumber Listingan

Dengan Security Command Center, Anda dapat membuat daftar sumber tertentu dan mencantumkan semua sumber yang saat ini tersedia dalam organisasi:

Python

from google.cloud import securitycenter

# Create a new client.
client = securitycenter.SecurityCenterClient()
# 'parent' must be in one of the following formats:
#   "organizations/{organization_id}"
#   "projects/{project_id}"
#   "folders/{folder_id}"
parent = f"organizations/{organization_id}"

# Call the API and print out each existing source.
for i, source in enumerate(client.list_sources(request={"parent": parent})):
    print(i, source)

Java

static ImmutableList<Source> listSources(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to list sources in an organization, project, or folder.
    // Parent must be in one of the following formats:
    //    OrganizationName organizationName = OrganizationName.of("organization-id");
    //    ProjectName projectName = ProjectName.of("project-id");
    //    FolderName folderName = FolderName.of("folder-id");
    ListSourcesRequest.Builder request =
        ListSourcesRequest.newBuilder().setParent(organizationName.toString());

    // Call the API.
    ListSourcesPagedResponse response = client.listSources(request.build());

    // This creates one list for all sources.  If your organization has a large number of sources
    // this can cause out of memory issues.  You can process them batches by returning
    // the Iterable returned response.iterateAll() directly.
    ImmutableList<Source> results = ImmutableList.copyOf(response.iterateAll());
    System.out.println("Sources:");
    System.out.println(results);
    return results;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"google.golang.org/api/iterator"
)

// listSources prints all sources in  orgID to w.  orgID is the numeric
// identifier of the organization.
func listSources(w io.Writer, orgID string) error {
	// orgID := "12321311"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.ListSourcesRequest{
		// Parent must be in one of the following formats:
		//		"organizations/{orgId}"
		//		"projects/{projectId}"
		//		"folders/{folderId}"
		Parent: fmt.Sprintf("organizations/%s", orgID),
	}
	it := client.ListSources(ctx, req)
	for {
		source, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return fmt.Errorf("it.Next: %w", err)
		}
		fmt.Fprintf(w, "Source Name: %s, ", source.Name)
		fmt.Fprintf(w, "Display name: %s, ", source.DisplayName)
		fmt.Fprintf(w, "Description: %s\n", source.Description)
	}
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
//  organizationId is the numeric ID of the organization.
/*
 * TODO(developer): Uncomment the following lines
 */
// parent: must be in one of the following formats:
//    `organizations/${organization_id}`
//    `projects/${project_id}`
//    `folders/${folder_id}`
const parent = `organizations/${organizationId}`;
// Call the API with automatic pagination.
async function listSources() {
  const [response] = await client.listSources({parent: parent});
  let count = 0;
  console.log('Sources:');
  Array.from(response).forEach(source =>
    console.log('%d %j', ++count, source)
  );
}

listSources();

API

Di API, buat permintaan ke metode organizations.sources.list. Isi permintaan kosong.

  GET https://securitycenter.googleapis.com/API_VERSION/organizations/ORGANIZATION_ID/sources

Ganti kode berikut:

API_VERSION: versi API yang Anda targetkan.
ORGANIZATION_ID: ID organisasi Anda.

Mendapatkan kebijakan IAM

Anda dapat memeriksa apakah kebijakan IAM yang sesuai telah diterapkan ke sumber dengan mendapatkan data kebijakan IAM saat ini dari Security Command Center:

Python

from google.cloud import securitycenter

client = securitycenter.SecurityCenterClient()

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Get the old policy so we can do an incremental update.
policy = client.get_iam_policy(request={"resource": source_name})
print(f"Policy: {policy}")

Java

static Policy getIamPolicySource(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request to get IAM policy for a source.
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");
    GetIamPolicyRequest request =
        GetIamPolicyRequest.newBuilder().setResource(sourceName.toString()).build();

    // Call the API.
    Policy response = client.getIamPolicy(request);

    System.out.println("Policy: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	iam "google.golang.org/genproto/googleapis/iam/v1"
)

// getSourceIamPolicy prints the policy for sourceName to w and return it.
// sourceName is the full resource name of the source with the policy of interest.
func getSourceIamPolicy(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &iam.GetIamPolicyRequest{
		Resource: sourceName,
	}

	policy, err := client.GetIamPolicy(ctx, req)
	if err != nil {
		return fmt.Errorf("GetIamPolicy(%s): %w", sourceName, err)
	}

	fmt.Fprintf(w, "Policy: %v", policy)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function getSourceIamPolicy() {
  // sourceName is the full resource name to retrieve the policy for.
  /*
   * TODO(developer): Uncomment the following lines
   */
  // const sourceName = "organizations/111122222444/sources/1234";

  const [existingPolicy] = await client.getIamPolicy({
    resource: sourceName,
  });

  console.log('Current policy: %j', existingPolicy);
}
getSourceIamPolicy();

API

Di API, buat permintaan ke metode organizations.sources.getIamPolicy. Isi permintaan berisi pesan permintaan GetIamPolicyRequest. Objek options bersifat opsional dan digunakan untuk meminta format kebijakan.

  GET https://securitycenter.googleapis.com/API_VERSION/organizations/ORGANIZATION_ID/sources/SOURCE_ID:getIamPolicy -d

  {
    "resource": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
    "options": {
      "requestedPolicyVersion": POLICY_VERSION
    }
  }

Ganti kode berikut:

API_VERSION: versi API yang Anda targetkan.
ORGANIZATION_ID: ID organisasi Anda.
SOURCE_ID: ID sumber. Lihat Mendapatkan sumber tertentu untuk mengetahui petunjuk cara mengambil ID sumber.
POLICY_VERSION: format kebijakan yang akan ditampilkan, 0, 1, atau 3.

Langkah selanjutnya

Pelajari lebih lanjut cara Mengakses Security Command Center menggunakan SDK.