Untuk menyelesaikan panduan ini, Anda harus memiliki peran Identity and Access Management (IAM) dengan izin compute.projects.setCommonInstanceMetadata dan iam.serviceAccounts.actAs di project tempat Anda akan melakukan pengujian, seperti peran Compute Admin (roles/compute.admin).
Menguji Layanan Tindakan Sensitif
Untuk menguji Sensitive Actions Service, Anda menambahkan kunci SSH tingkat project, yang dapat memberikan akses kunci SSH ke semua instance dalam project.
Detektor ini tidak menghasilkan temuan jika sudah ada kunci SSH tingkat project yang ditetapkan di project. Pilih project yang belum memiliki
kunci SSH tingkat project.
Langkah 1: Memicu detektor Layanan Tindakan Sensitif
Untuk memicu detektor, Anda memerlukan akun pengguna uji coba. Anda dapat membuat akun pengguna pengujian dengan alamat email gmail.com atau menggunakan akun pengguna yang sudah ada di organisasi Anda. Anda menambahkan akun pengguna pengujian ke organisasi Anda dan memberikan izin yang berlebihan.
Pastikan saat ini tidak ada kunci SSH yang ditetapkan di project. Jika kunci SSH ditetapkan, Anda akan melihat kunci yang ada dalam tabel, dan pengujian tidak akan berfungsi.
Pilih project yang tidak memiliki kunci SSH tingkat project yang ada untuk pengujian.
Klik Add SSH Key.
Tambahkan kunci publik ke dalam kotak teks. Untuk mengetahui detail selengkapnya tentang cara membuat kunci SSH, lihat Membuat kunci SSH.
Klik Simpan.
Selanjutnya, verifikasi bahwa pendeteksi Persistence: project SSH key added telah menulis temuan.
Langkah 2: Melihat temuan di Security Command Center
Untuk meninjau temuan Layanan Tindakan Sensitif di konsol, ikuti
langkah-langkah berikut:
Di konsol Google Cloud , buka halaman Temuan di Security Command Center.
Di bagian Quick filters, di subbagian Source display name, pilih
Sensitive Actions Service. Hasil kueri temuan diperbarui untuk hanya menampilkan temuan dari sumber ini.
Untuk melihat detail temuan tertentu, klik nama temuan di kolom Kategori.
Panel detail untuk temuan akan terbuka dan menampilkan tab Ringkasan.
Di tab Ringkasan, tinjau detail temuan, termasuk informasi tentang apa yang terdeteksi, resource yang terpengaruh, dan—jika tersedia—langkah-langkah yang dapat Anda lakukan untuk memperbaiki temuan tersebut.
Opsional: Untuk melihat definisi JSON lengkap dari temuan, klik tab JSON.
Langkah 3: Melihat temuan di Cloud Logging
Anda dapat melihat entri log tindakan sensitif menggunakan Cloud Logging.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-10 UTC."],[],[],null,["| Standard, Premium, and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nVerify that Sensitive Actions Service is working by intentionally triggering the\n`Persistence: project SSH key added` detector and checking for findings.\n\nTo learn more about the Sensitive Actions Service service, see\n[Sensitive Actions Service overview](/security-command-center/docs/concepts-sensitive-actions-overview).\n\nBefore you begin\n\nTo complete this guide, you must have an Identity and Access Management (IAM) role with\nthe `compute.projects.setCommonInstanceMetadata` and `iam.serviceAccounts.actAs`\npermissions in the project where you will perform the test, such as the Compute\nAdmin role (`roles/compute.admin`).\n\nTesting Sensitive Actions Service\n\nTo test Sensitive Actions Service, you add a project-level SSH key, which may grant SSH\nkey access to all instances in the project.\n\nThis detector doesn't generate a finding if there is already a project-level SSH key set on\nthe project. Choose a project that doesn't already have\nany project-level SSH keys.\n\nStep 1: Triggering a Sensitive Actions Service detector\n\nTo trigger the detector, you need a test user account. You can create\na test user account with a gmail.com email address or use an existing user\naccount in your organization. You add the test user account to your\norganization and grant it excessive permissions.\n\nFor more instructions on how to add the project-level SSH key, see\n[Add SSH keys to project metadata](/compute/docs/connect/add-ssh-keys#add_ssh_keys_to_project_metadata).\nFor instructions on how to generate an SSH key, see [Create SSH keys](/compute/docs/connect/create-ssh-keys).\n\n1. Go to the [Compute Engine Metadata](https://console.cloud.google.com/compute/metadata)\n page in the Google Cloud console.\n\n [Go to Metadata](https://console.cloud.google.com/compute/metadata)\n2. Click the **SSH Keys** tab.\n\n3. Verify that there aren't currently any SSH keys set on the project. If SSH keys are set, you will see the existing keys in a table, and the test won't work.\n Choose a project that doesn't have any existing project-level SSH keys for\n the test.\n\n4. Click **Add SSH Key**.\n\n5. Add a public key into the text box. For more details on how to generate an\n SSH key, see [Create SSH\n keys](/compute/docs/connect/create-ssh-keys).\n\n6. Click **Save**.\n\nNext, verify that the `Persistence: project SSH key added` detector has written findings.\n\nStep 2: Viewing the finding in Security Command Center\n\nTo review Sensitive Actions Service findings in the console, follow\nthese steps:\n\n1. In the Google Cloud console, go to the **Findings** page of Security Command Center.\n\n [Go to Findings](https://console.cloud.google.com/security/command-center/findingsv2)\n2. Select your Google Cloud project or organization.\n3. In the **Quick filters** section, in the **Source display name** subsection, select **Sensitive Actions Service**. The findings query results are updated to show only the findings from this source.\n4. To view the details of a specific finding, click the finding name in the **Category** column. The details panel for the finding opens and displays the **Summary** tab.\n5. On the **Summary** tab, review the details of the finding, including information about what was detected, the affected resource, and---if available---steps that you can take to remediate the finding.\n6. Optional: To view the full JSON definition of the finding, click the **JSON** tab.\n\n\u003cbr /\u003e\n\nStep 3: Viewing the finding in Cloud Logging\n\nYou can view sensitive action log entries by using Cloud Logging.\n\n1. Go to **Logs Explorer** in the Google Cloud console.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n2. If required, change to the organization view by using the\n **Organization selector** at the top of the page.\n\n3. Use the **Query** pane to build your query:\n\n 1. In the **All resources** list, select **sensitiveaction.googleapis.com/Location**.\n 2. Click **Apply** . The **Query results** table is updated with the logs you selected.\n4. To view a log, click a table row, and then click **Expand nested fields**.\n\nClean up\n\nWhen you're finished testing, remove the project-level SSH key.\n\n1. Go to the **Compute Engine Metadata** page in the Google Cloud console.\n\n [Go to Metadata](https://console.cloud.google.com/compute/metadata)\n2. Click **Edit**.\n\n3. Click delete**Delete item** next to the SSH key.\n\n4. Click **Save**.\n\nWhat's next\n\n- Learn more about [using Sensitive Actions Service](/security-command-center/docs/how-to-use-sensitive-actions).\n- Read a high-level overview of [Sensitive Actions Service concepts](/security-command-center/docs/concepts-sensitive-actions-overview).\n- Learn how to [investigate and develop response plans](/security-command-center/docs/how-to-investigate-threats) for threats."]]