This page walks you through accessing Cloud Security Command Center (Cloud SCC) asset inventory to review your organization's Google Cloud Platform (GCP) resources.
Before you begin
To access Cloud SCC asset inventory, you must have one of the following Cloud Identity and Access Management (Cloud IAM) roles:
For more information about these Cloud IAM roles, see Access control.
Accessing asset inventory
- Go to the Google Cloud Platform Console Security Command Center.
Go to the Security Command Center
- Select the organization you want to review.
- On the Security Command Center dashboard that appears, click the Asset inventory tab.
You're now viewing the Cloud SCC asset inventory detailed list view.
Using asset inventory
Asset inventory enables you to view assets for the entire organization or you can view assets only within a specific project.
Viewing by project
By default, assets are displayed in the organization and project hierarchy. To view assets associated with a specific resource, under View by Project, select the organization or project you want to review.
After you select an organization or project, its assets display in the middle panel. The following asset types are currently supported:
- App Engine
- Compute Engine
- Cloud Datastore
- Cloud Storage
Viewing by asset type
To view your assets grouped by resource type, under the Asset inventory tab, click Asset type. Assets are displayed in categories like application, bucket, project, and service. To view individual resources for a specific asset type, under View by Asset type, select the asset type you want to review. All of the assets in that category are displayed in the middle panel.
Configuring asset inventory
By default, asset inventory displays the following columns:
- Asset name:
- Asset type:
- Asset owner:
- Any marks added to the asset:
In a given session, you can hide any column except for
property.name, and you
can select more asset detail columns to display.
To select the asset columns you want to display, click Columns. In the menu that appears, select the columns you want to display. To hide a column, click the column name.
To control the screen space for asset inventory, you can change the following options:
- Hide the GCP left side panel by clicking the left arrow.
- Resize the asset display columns by dragging the dividing line left or right.
- Hide the Marks right side panel by clicking Hide Info Panel.
To change the date and time for which asset inventory displays results, click the date and time drop-down, then select the date and time you want.
Sorting asset inventory
To sort the asset inventory display, click the column heading for the value by
which you want to sort. Columns except for
attribute.asset_type are sorted by
numeric and then alphabetic order. The
attribute.asset_type column uses the
following smart order:
- App Engine applications
- App Engine services
- Cloud Storage buckets
- Cloud Datastore types
- Compute Engine resources
The smart order sorted items are sorted alphabetically by name.
Using security marks
Security marks, or just "marks", enable you to annotate assets and then search, select, or filter using the mark. For example, the following steps allow you to filter projects that you group together under the same mark:
- Go to the Google Cloud Platform Console Asset Inventory page.
Go to the Asset Inventory page
- Select the organization you want to review.
- On the asset inventory that appears, under
property.name, select two or more projects that you want to mark.
- On the right side panel, under Marks, click Add mark.
Add Key and Value items to identify the projects.
For example, if you want to mark projects that are in a production stage, add a key of "stage" and a value of "prod". Each project will then have the new
When you're finished adding marks, click Save.
The projects you selected are now associated with a mark. By default, marks display as the right side column in asset inventory. To include or exclude specific marks in the asset inventory display, select the mark key in the filter drop-down list at the top of the displayed assets, then enter the mark value.
Marks, labels, and tags
Marks are unique to Cloud SCC and only exist in the
Cloud SCC database. Reading and editing marks is tied to the
securityCenter.editor role and is independent of roles and permissions on the
Labels are user-level annotations that are applied to specific resources and are supported across multiple GCP products. Labels are primarily used for billing accounting and attribution.
Tags are also a user-level annotation, specific to Compute Engine resources. Tags are primarily used to define security groups, network segmentation, and firewall rules.
Reading or updating labels and tags is tied to the permissions on the underlying resource. Labels and tags are ingested as part of the resource attributes in Cloud SCC asset inventory. You can search for specific label and tag presence, and specific keys and values, during post-processing of List API results.