>

Using Cloud SCC security marks

This guide describes how to use security marks in Cloud Security Command Center (Cloud SCC). Security marks, or just "marks", enable you to annotate assets or findings in Cloud SCC and then search, select, or filter using the mark. You can use security marks to provide ACL annotations on assets and findings to group them for management, policy application, or integration with workflow, or to add priorty, access level, or sensitivity classifications.

Before you begin

To add or change security marks, you must have a Cloud Identity and Access Management (Cloud IAM) role that includes permissions for the kind of mark that you want to use:

  • Asset marks: Asset Security Marks Writer
  • Finding marks: Finding Security Marks Writer

Security marks, labels, and tags

Security marks are unique to Cloud SCC and only exist in the Cloud SCC database. Cloud IAM permissions apply to security marks, and they are restricted to only users who have the appropriate Cloud SCC roles. Reading and editing security marks is tied to the Security Center Asset Security Marks Writer and Security Center Finding Security Marks Writer roles, and is independent of roles and permissions on the underlying resource.

Security marks enable you to add your business context for assets and findings. Labels and tags are similar kinds of metadata that are available through Cloud SCC, but they have a slightly different use and permissions model. Because Cloud IAM roles apply to security marks, they can be used to group and enforce policies on both assets and findings.

Labels are user-level annotations that are applied to specific resources and are supported across multiple GCP Console products. Labels are primarily used for billing accounting and attribution.

Tags are also a user-level annotation, specific to Compute Engine resources. Tags are primarily used to define security groups, network segmentation, and firewall rules.

Reading or updating labels and tags is tied to the permissions on the underlying resource. Labels and tags are ingested as part of the resource attributes in the Cloud SCC assets display. You can search for specific label and tag presence, and specific keys and values, during post-processing of List API results.

Using security marks

You can use security marks to group, filter, define policy groups, or add business context to assets and findings in Cloud SCC.

Security marks in the assets display

The following steps allow you to filter projects as assets that you group together under the same mark:

  1. Go to the Google Cloud Platform Console Cloud SCC Assets page.
    Go to the Assets page
  2. Select the organization you want to review.
  3. On the assets display that appears, under resource_properties.name, select two or more projects that you want to mark.
  4. On the right side panel, under SecurityMarks, click Add mark.
  5. Add Key and Value items to identify the projects.

    For example, if you want to mark projects that are in a production stage, add a key of "stage" and a value of "prod". Each project will then have the new mark.stage: prod.

  6. When you're finished adding marks, click Save.

The projects you selected are now associated with a mark. By default, marks display as the right side column in the assets display. To include or exclude specific marks in the assets display, select the mark name in the Columns drop-down list at the top of the displayed assets.

Security marks in the findings display

The following steps allow you to filter findings that you group together under the same mark:

  1. Go to the GCP Console Cloud SCC Findings page.
    Go to the Findings page
  2. Select the organization you want to review.
  3. On the findings display that appears, under Finding type, select the type of finding you want to mark.
  4. Under category, select two or more finding categories that you want to mark.
  5. On the right side panel, under SecurityMarks, click Add mark.
  6. Add Key and Value items to identify the finding categories.

    For example, if you want to mark findings that are part of the same incident, add a key of "incident-number" and a value of "1234". Each finding will then have the new mark.incident-number: 1234.

  7. When you're finished adding marks, click Save.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.