Using Asset Inventory

This page walks you through accessing Cloud Security Command Center (Cloud SCC) asset inventory to review your organization's Google Cloud Platform (GCP) resources.

Before you begin

To access Cloud SCC asset inventory, you must have one of the following Cloud Identity and Access Management (Cloud IAM) roles:

  • securitycenter.viewer
  • securitycenter.editor

For more information about these Cloud IAM roles, see Access control.

Accessing asset inventory

  1. Go to the Google Cloud Platform Console Security Command Center.
    Go to the Security Command Center
  2. Select the organization you want to review.
  3. On the Security Command Center dashboard that appears, click the Asset inventory tab.

You're now viewing the Cloud SCC asset inventory detailed list view.

Using asset inventory

Asset inventory enables you to view assets for the entire organization or you can view assets only within a specific project.

Viewing by project

By default, assets are displayed in the organization and project hierarchy. To view assets associated with a specific resource, under View by Project, select the organization or project you want to review.

After you select an organization or project, its assets display in the middle panel. The following asset types are currently supported:

  • Organization
  • Project
  • App Engine
    • Application
    • Service
  • Compute Engine
    • Address
    • Disk
    • Firewalls
    • GlobalAddress
    • Image
    • Instance
    • InstanceGroup
    • Network
    • Route
    • SslCertificate
    • Subnetwork
    • TargetVPNGateway
    • VPNTunnel
  • Cloud Datastore
    • Kind
  • Cloud Storage
    • Bucket

Viewing by asset type

To view your assets grouped by resource type, under the Asset inventory tab, click Asset type. Assets are displayed in categories like application, bucket, project, and service. To view individual resources for a specific asset type, under View by Asset type, select the asset type you want to review. All of the assets in that category are displayed in the middle panel.

Configuring asset inventory

By default, asset inventory displays the following columns:

  • Asset name: property.name
  • Asset type: attribute.asset_type
  • Asset owner: attribute.owner
  • Any marks added to the asset: marks

In a given session, you can hide any column except for property.name, and you can select more asset detail columns to display.

To select the asset columns you want to display, click Columns. In the menu that appears, select the columns you want to display. To hide a column, click the column name.

To control the screen space for asset inventory, you can change the following options:

  • Hide the GCP left side panel by clicking the left arrow.
  • Resize the asset display columns by dragging the dividing line left or right.
  • Hide the Marks right side panel by clicking Hide Info Panel.

To change the date and time for which asset inventory displays results, click the date and time drop-down, then select the date and time you want.

Sorting asset inventory

To sort the asset inventory display, click the column heading for the value by which you want to sort. Columns except for attribute.asset_type are sorted by numeric and then alphabetic order. The attribute.asset_type column uses the following smart order:

  1. Organization
  2. Projects
  3. App Engine applications
  4. App Engine services
  5. Cloud Storage buckets
  6. Cloud Datastore types
  7. Compute Engine resources

The smart order sorted items are sorted alphabetically by name.

Using security marks

Security marks, or just "marks", enable you to annotate assets and then search, select, or filter using the mark. For example, the following steps allow you to filter projects that you group together under the same mark:

  1. Go to the Google Cloud Platform Console Asset Inventory page.
    Go to the Asset Inventory page
  2. Select the organization you want to review.
  3. On the asset inventory that appears, under property.name, select two or more projects that you want to mark.
  4. On the right side panel, under Marks, click Add mark.
  5. Add Key and Value items to identify the projects.

    For example, if you want to mark projects that are in a production stage, add a key of "stage" and a value of "prod". Each project will then have the new mark.stage: prod.

  6. When you're finished adding marks, click Save.

The projects you selected are now associated with a mark. By default, marks display as the right side column in asset inventory. To include or exclude specific marks in the asset inventory display, select the mark key in the filter drop-down list at the top of the displayed assets, then enter the mark value.

Marks, labels, and tags

Marks are unique to Cloud SCC and only exist in the Cloud SCC database. Reading and editing marks is tied to the securityCenter.editor role and is independent of roles and permissions on the underlying resource.

Labels are user-level annotations that are applied to specific resources and are supported across multiple GCP products. Labels are primarily used for billing accounting and attribution.

Tags are also a user-level annotation, specific to Compute Engine resources. Tags are primarily used to define security groups, network segmentation, and firewall rules.

Reading or updating labels and tags is tied to the permissions on the underlying resource. Labels and tags are ingested as part of the resource attributes in Cloud SCC asset inventory. You can search for specific label and tag presence, and specific keys and values, during post-processing of List API results.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.