>

Enabling Security Health Analytics

は、

This guide describes how to enable Security Health Analytics to write security findings from Google Cloud Platform native scanners to Cloud Security Command Center (Cloud SCC). Findings from these scanners are searchable in the Cloud SCC dashboard and using the Cloud SCC API.

Before you begin

  • Security Health Analytics is not yet generally available, so you must be whitelisted to gain access. To sign up for the alpha, complete the Security Health Analytics Alpha Program form.
  • To enable Security Health Analytics, you must have the Organization Administrator Cloud Identity and Access Management (Cloud IAM) role. To learn more, see Access control for organizations.
  • To access the Cloud SCC dashboard, you must have the Security Center Admin Viewer Cloud IAM role.
  • To make changes to Cloud SCC, like adding marks, you must have an appropriate editor role, like Security Center Admin Editor.

Learn more about Cloud SCC roles.

Enabling Security Health Analytics

Some vulnerability detection isn't enabled automatically when you enable Security Health Analytics. To fully enable Security Health Analytics, add permissions to your Cloud SCC scanner service account.

The Cloud SCC scanner service account must have the following Cloud Identity and Access Management (Cloud IAM) roles. If you don't grant all of these roles to the service account, Security Health Analytics can't perform all of the scans that are available.

Required Role Reason
Cloud Asset Viewer This role is required to enable scanning of Cloud IAM and access control asset configuration information stored in Cloud Asset Inventory against known vulnerable configurations.
Compute Viewer This role is required to enable scanning of Compute Engine configuration details against known vulnerable configurations.
Kubernetes Engine Cluster Viewer This role is required to enable scanning of Google Kubernetes Engine Cluster configuration details against known vulnerable configurations.
Logs Viewer This role, combined with the Monitoring AlertPolicy Viewer role, is required to enable detection of assets that don't have sufficient logging and monitoring enabled.
Monitoring AlertPolicy Viewer This role, combined with the Logs Viewer role, is required to enable detection of assets that don't have sufficient logging and monitoring enabled.
Cloud SQL Client This role is required to enable scanning of Cloud SQL instances to perform blackbox testing and identify instances that are configured to accept weak or empty root passwords. When this role is granted, the scanner connects to your Cloud SQL instances to attempt to login using a weak or empty password. The Cloud SQL scanners don't save or log the password that was used to identify the vulnerability.

To enable all Security Health Analytics scanners, follow the steps below for the Google Cloud Platform Console or gcloud command-line tool.

Console

To enable Security Health Analytics using the GCP Console:

  1. Go to the IAM & admin IAM page in the GCP Console.
    Go to the IAM page
  2. On the Project Selector drop-down list at the top of the page, select the organization for which you want to enable Security Health Analytics.
  3. On the Permissions tab, click Add.
  4. On the Add members panel that appears, under New members, enter organizations-[ORGANIZATION_ID]@cscc-scanner-mvp.iam.gserviceaccount.com.
  5. Use the Select a role drop-down list to add the following roles. After you add a role, click Add Another Role for each role:
    • Cloud Asset Viewer
    • Compute Viewer
    • Kubernetes Engine Cluster Viewer
    • Monitoring AlertPolicy Viewer
    • Logs Viewer
    • Cloud SQL Client
  6. When you're finished adding roles, click Save.

gcloud command-line tool

To enable Security Health Analytics using the gcloud command-line tool:

  1. Get your organization ID by running:
    gcloud organizations list
    This command lists the organizations that you belong to. Note the organization ID for the organization for which you want to enable Security Health Analytics.
  2. Set the ORGANIZATION_ID value by running:
    ORGANIZATION_ID=[ORGANIZATION_ID]
  3. Grant the service account the appropriate roles for the following scanners:

    # For the storage scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com --role=roles/cloudasset.viewer
    # For the compute scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/compute.viewer
    # For the container scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/container.clusterViewer
    # For monitoring scanners using the monitoring API
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/monitoring.alertPolicyViewer
    # For monitoring scanners using the logging API
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/logging.viewer
    # For the MySQL password scanner
    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:organizations-$ORGANIZATION_ID@cscc-scanner-mvp.iam.gserviceaccount.com  --role=roles/cloudsql.client
    

For more information, see the Cloud SDK gcloud beta organizations add-iam-policy-binding documentation.

After your organization is enabled for the Security Health Analytics Alpha, you can view vulnerabilities in Cloud SCC. Security Health Analytics scans automatically run twice a day, 12-hours apart.

Getting support

If you're whitelisted for the Security Health Analytics alpha and you need support, please email security-health-analytics-support@google.com.

What's next

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Security Command Center
ご不明な点がありましたら、Google のサポートページをご覧ください。