Manage a security posture

This page describes how you can configure and use the security posture service after you activate Security Command Center. To start, you must create a posture that includes your policies, organized in policy sets, and then deploy the posture using a posture deployment. After a posture is deployed, you can monitor for drift and further refine your posture over time.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate the Security Command Center Premium or Enterprise tier

Verify that the Security Command Center Premium tier or Enterprise tier is activated at the organization level.

If you want to use Security Health Analytics detectors as policies, select the Security Health Analytics service during the activation process.

Set up permissions

To get the permissions that you need to use posture, ask your administrator to grant you the Security Posture Admin (roles/securityposture.admin) IAM role. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

For more information about security posture roles and security posture permissions, see IAM for organization-level activations.

Set up Google Cloud CLI

You must use Google Cloud CLI version 461.0.0 or later.

You can use the gcloud CLI samples on this page from either of the following development environments:

• Cloud Shell: To use an online terminal with the gcloud CLI already set up, activate Cloud Shell.

  At the bottom of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.

• Local shell: To use the gcloud CLI in a local development environment, install and initialize the gcloud CLI.

To set up the gcloud CLI to use service account impersonation to authenticate to Google APIs, rather than your user credentials, run the following command:

gcloud config set auth/impersonate_service_account SERVICE_ACCT_EMAIL

For more information, see Service account impersonation.

Enable APIs

Enable the Organization Policy Service and the security posture service APIs:

gcloud services enable orgpolicy.googleapis.com  securityposture.googleapis.com

Configure connection to AWS

To use built-in Security Health Analytics detectors that are specific to AWS, you must activate Security Command Center Enterprise and connect to AWS for vulnerability detection.

Create and deploy a posture

To start using a security posture, you must complete the following:

• Create a posture YAML file that defines the policies that apply to your security posture.

• Create a posture in Google Cloud that is based on the posture YAML file.

• Deploy the posture.

The following sections provide detailed instructions.

Create a posture YAML file

A posture consists of one or more policy sets that you deploy together. These policy sets include all the preventative and detective policies that you want to include in your posture.

To create your posture, do one of the following:

• Copy a predefined posture template. If required, make any edits to the policies so that they apply to your environment and comply with your business's regulatory and security standards. For instructions, see Create a posture file from a predefined posture template.

• Extract existing policies from your environment. If required, make any edits to the policies so that they comply with your business's regulatory and security standards. For instructions, see Create a posture file by extracting policies from an existing environment.

• Create a Terraform resource that defines the posture. For instructions, see Create a Terraform resource with policy definitions.

Postures are YAML files. For more information about the posture.yaml file and its key value pairs, see Security posture YAML file.

Create a posture file from a predefined posture template

You can use a predefined posture template to create a posture file.

Create a posture file by extracting policies from an existing environment

You can extract the policies (organization policies, including custom policies and all Security Health Analytics detectors, including custom detectors) that you configured in an existing project, folder, or organization to create a posture file. You can't extract policies from an organization, folder, or project that already has a posture applied to it.

This command only extracts the policies that you previously configured for the organization, folder, or project and doesn't extract policies from parent folders or organization.

If you connected Security Command Center Enterprise to AWS, this command also extracts the detectors that are specific to AWS (Preview).

1. Run the gcloud scc postures extract command to extract the existing organization policies and Security Health Analytics detectors in your environment.

   gcloud scc postures extract \
   POSTURE_NAME --workload=WORKLOAD

   Replace the following values:

   • POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

     • LOCATION is global.

     • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization. POSTURE_ID is limited to 63 characters.

   • WORKLOAD is the project, folder, or organization that you are extracting the policies from. The workload is one of the following:

     • projects/PROJECT_NUMBER

     • folder/FOLDER_ID

     • organizations/ORGANIZATION_ID

   For example, to extract policies from the 3589215982 folder under the 6589215984 organization, run the following:

   gcloud scc postures extract organizations/6589215984/locations/global/postures/myStagingPosture folder/3589215982 > posture.yaml

2. Open the resulting posture.yaml file for editing.

3. Complete one of the following actions:

   • If you can use the posture without making any changes (for example, you used one of the _essentials templates), you can create the posture. For instructions, see Create a posture.

   • If you need to modify any of the policy sets or policies, complete Modify a posture YAML file.

Create a Terraform resource with policy definitions

You can create a Terraform configuration to create a posture resource.

For example, you can create a posture resource that includes built-in and custom organization policy constraints and built-in and custom Security Health Analytics detectors. Posture management support for built-in Security Health Analytics detectors that are specific to AWS is in Preview.

resource "google_securityposture_posture" "posture_example" {
  posture_id  = "<POSTURE_ID>"
  parent      = "organizations/<ORGANIZATION_ID>"
  location    = "global"
  state       = "ACTIVE"
  description = "a new posture"
  policy_sets {
    policy_set_id = "org_policy_set"
    description   = "set of org policies"
    policies {
      policy_id = "canned_org_policy"
      constraint {
        org_policy_constraint {
          canned_constraint_id = "storage.uniformBucketLevelAccess"
          policy_rules {
            enforce = true
          }
        }
      }
    }
  }
  policy_sets {
    policy_set_id = "sha_policy_set"
    description   = "set of sha policies"
    policies {
      policy_id = "sha_builtin_module"
      constraint {
        security_health_analytics_module {
          module_name             = "BIGQUERY_TABLE_CMEK_DISABLED"
          module_enablement_state = "ENABLED"
        }
      }
      description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
    }
    policies {
      policy_id = "aws_sha_builtin_module"
      constraint {
        security_health_analytics_module {
          module_name             = "S3_BUCKET_LOGGING_ENABLED"
          module_enablement_state = "ENABLED"
        }
      }
      description = "enable S3_BUCKET_LOGGING_ENABLED"
    }
    policies {
      policy_id = "sha_custom_module"
      constraint {
        security_health_analytics_custom_module {
          display_name = "custom_SHA_policy"
          config {
            predicate {
              expression = "resource.rotationPeriod > duration('2592000s')"
            }
            custom_output {
              properties {
                name = "duration"
                value_expression {
                  expression = "resource.rotationPeriod"
                }
              }
            }
            resource_selector {
              resource_types = ["cloudkms.googleapis.com/CryptoKey"]
            }
            severity       = "LOW"
            description    = "Custom Module"
            recommendation = "Testing custom modules"
          }
          module_enablement_state = "ENABLED"
        }
      }
    }
  }
}

For more information, see google_securityposture_posture.

Modify a posture YAML file

Complete the following steps to modify a posture YAML file:

1. Open your posture YAML file in a text editor.

2. Verify the name, description, and state at the beginning of the file.

   name: organizations/ORGANIZATION_ID/locations/LOCATION/posture/POSTURE_ID
   description: DESCRIPTION
   state: STATE
   

   See Security posture YAML file for a description of these key values.

   For example:

   name: organizations/3589215982/locations/global/posture/stagingAIPosture
   description: This posture applies to staging environments for Vertex AI.
   state: ACTIVE
   

3. Customize the policies within the file to meet your requirements:

   1. Review the existing policies and their values. For policies that require information that is specific to your environment, set the values appropriately. For example, for the ainotebooks.accessMode policy in the secure AI, extended predefined posture, add the allowed modes of access under policy_rules:

        - policy_id: Define access mode for Vertex AI Workbench notebooks and instances
          compliance_standards:
          - standard: NIST SP 800-53
            control: AC-3(3)
          - standard: NIST SP 800-53
            control: AC-6(1)
          constraint:
            org_policy_constraint:
              canned_constraint_id: ainotebooks.accessMode
              policy_rules:
              - values:
                  allowed_values: service-account
          description: This list constraint defines the modes of access allowed to Vertex AI Workbench notebooks and instances where enforced. The allow or deny list can specify multiple users with the service-account mode or single-user access with the single-user mode. The access mode to be allowed or denied must be listed explicitly.
      

   2. Add additional organization policy constraints, as documented in Organization policy constraints. If you are defining a custom organization policy, ensure that the YAML file includes the custom constraint definition. You can't use a custom constraint that you created using other methods (for example, using the Google Cloud console). For example, you might want to set the compute.trustedImageProjects constraint to define projects can be used for image storage and disk instantiation. If you copy this example, ensure that you replace allowed_values with suitable list of projects:

        - policy_id: Define projects with trusted images.
          compliance_standards:
          - standard:
            control:
          constraint:
            org_policy_constraint:
              canned_constraint_id: compute.trustedImageProjects
              policy_rules:
              - values:
                  allowed_values:
                  - project1
                  - project2
                  - projectN
          description: This is a complete list of projects from which images can be used.
      

   3. Add additional Security Health Analytics detectors, such as those documented in Security Health Analytics findings. For example, add a Security Health Analytics detector to create a finding if a project is not using an API key for authentication:

        - policy_id: API Key Exists
          constraint:
            securityHealthAnalyticsModule:
              moduleEnablementState: ENABLED
              moduleName: API_KEY_EXISTS
      

      As another example, add a Security Health Analytics custom module to detect whether Vertex AI datasets are encrypted:

        - policy_id: CMEK key is use for Vertex AI DataSet
          compliance_standards:
          - standard: NIST SP 800-53
            control: SC-12
          - standard: NIST SP 800-53
            control: SC-13
          constraint:
            security_health_analytics_custom_module:
              display_name: "vertexAIDatasetCMEKDisabled"
              config:
                customOutput: {}
                predicate:
                  expression: "!has(resource.encryptionSpec)"
                resource_selector:
                  resource_types:
                  - aiplatform.googleapis.com/Dataset
                severity: CRITICAL
                description: "When enforced, this detector finds whether a dataset is not encrypted using CMEK."
                recommendation: "Restore the SHA module. See https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview."
              module_enablement_state: ENABLED
      

      As another example, for Security Command Center Enterprise, add a Security Health Analytics detector that's specific to AWS (Preview):

      - policy_set_id: AWS policy set
        description:  Policy set containing AWS built-in SHA modules for securing S3 buckets.
        policies:
        - policy_id: S3 bucket replication enabled
          compliance_standards:
          - standard: NIST 800-53 R5
            control: SI-13(5)
          constraint:
            securityHealthAnalyticsModule:
              moduleEnablementState: ENABLED
              moduleName: S3_BUCKET_REPLICATION_ENABLED
          description: This control checks whether an Amazon S3 bucket has Cross-Region Replication enabled. The control fails if the bucket does not have Cross-Region Replication enabled or if Same-Region Replication is also enabled.
      
        - policy_id: S3 bucket logging enabled
          compliance_standards:
          - standard: NIST 800-53 R5
            control: SI-7(8)
          - standard: PCI DSS 3.2.1
            control: 10.3.1
          constraint:
            securityHealthAnalyticsModule:
              moduleEnablementState: ENABLED
              moduleName: S3_BUCKET_LOGGING_ENABLED
          description: AWS S3 Server Access Logging feature records access requests to storage buckets which is useful for security audits. By default, server access logging is not enabled for S3 buckets.
      

      If you add a detector that's specific to AWS, you must deploy the posture at the organization level.

4. Upload your posture file to a version-controlled source repository so that you can track the changes that you make to it over time.

Create a posture

Complete this task to create a posture resource in Security Command Center that you can deploy. If you created a posture from a predefined posture template using the Google Cloud console, the posture resource is created automatically for you.

Deploy a posture

After you create a posture, you deploy it to a project, folder, or organization so that you can apply the policies and their definitions to specific resources in your organization and monitor for drift. You can only deploy one posture to a project, folder, or organization.

Verify that your posture state is ACTIVE.

When you deploy the posture, the following actions occur:

• The definitions for organization policies and Security Health Analytics detectors are applied.

• The custom constraint for custom organization policies is created with constraint ID to include the posture revision ID as a suffix to the constraint ID that you defined in the posture.

• The default state for the custom modules is set to Enabled.

gcloud scc posture-deployments create \
POSTURE_DEPLOYMENT_NAME  --posture-name=POSTURE_NAME \
--posture-revision-id=POSTURE_REVISION_ID \
--target-resource=TARGET_RESOURCE

gcloud scc posture-deployments create
organizations/3589215982/locations/global/postureDeployments/postureDeployment123
--posture-name=organizations/3589215982/locations/global/postures/StagingAIPosture
--posture-revision-id=version1 --target-resource=projects/4589215982

  resource "google_securityposture_posture_deployment" "posture_deployment_example" {
    posture_deployment_id          = "<POSTURE_DEPLOYMENT_ID>"
    parent = "organizations/<ORGANIZATION_ID>"
    location = "global"
    description = "a new posture deployment"
    target_resource = "<TARGET_RESOURCE>"
    posture_id = "<POSTURE_NAME>"
    posture_revision_id = "<POSTURE_REVISION_ID>"
  }

View posture and posture deployment information

You can view posture and posture deployment information to see information such as the following:

• What postures are deployed and where in the resource hierarchy (organizations, projects, and folders) they are applied

• The revisions and state of postures

• The operational details of a posture deployment

View a posture

You can view information about a posture (such as its state and policy definitions).

gcloud scc postures describe POSTURE_NAME \
--revision-id=REVISION_ID

gcloud scc postures describe \
organizations/3589215982/locations/global/postures/posture-example-1
--revision-id=abcdefgh

View information about a posture deployment operation

Run the gcloud scc securityposture-operations describe command to view the operation details for a posture deployment operation.

gcloud scc securityposture-operations describe OPERATION_NAME

Where OPERATION_NAME is the relative resource name for the operation. The format is organizations/ORGANIZATION_ID/LOCATION/global/operations/OPERATION_ID. LOCATION is the location where you deployed the posture deployment. You can obtain the OPERATION_ID by using the --async argument when you run the posture command.

For example, to view a scan operation with the name organizations/3589215982/locations/global/operations/operation-1694515698847-605272e4bcd7c-f93dade6-067467ae, run the following:

gcloud scc securityposture-operations describe
organizations/3589215982/locations/global/operations/operation-1694515698847-605272e4bcd7c-f93dade6-067467ae

View information about a posture deployment

You can view where a posture is deployed to, as well as the deployment state.

gcloud scc posture-deployments describe
POSTURE_DEPLOYMENT_NAME

gcloud scc posture-deployments describe \
organizations/3589215982/locations/global/postureDeployments/Posture-deployment-example-1

Update a posture and posture deployment

You can update the following:

• The state of the posture.

• The policy definitions in a posture.

• The organization, folders, or projects that a posture is deployed to.

Update the policy definitions in a posture

You might need to update a posture when you enable more Google Cloud services, deploy additional resources, or require additional policies to meet new or changing compliance requirements. If you are updating a deployed posture revision, this task creates a new posture revision. Otherwise, the posture revision that you specify when you run the update command is updated.

1. Open a YAML file in a text editor. Add the fields you want to update, along with their values. If you are updating policy sets, ensure that your file includes all the policy sets that you want to include in the posture, including the policy sets that already exist. For instructions, see Modify a posture YAML file.

2. Run the gcloud scc postures update command to update the posture.

   gcloud scc postures update POSTURE_NAME \
   --posture-from-file=POSTURE_FROM_FILE \
   --revision-id=POSTURE_REVISION_ID --update-mask=UPDATE_MASK

   Replace the following values:

   • POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

     • LOCATION is global.

     • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization.

   • POSTURE_FROM_FILE is the relative or absolute path to the posture.yaml file that includes your changes.

   • --revision-id=REVISION_ID is the posture revision that you want to deploy. If the posture is currently deployed, the security posture service automatically creates a new version of the posture with a different revision ID and includes the revision ID in the output.

   • --update-mask=UPDATE_MASK is the list of fields that you want to update, in comma-separated format. This argument is optional. You can set UPDATE_MASK to one of the following values:

     • * or unspecified: Apply the changes that you made to the policy sets and posture description.
     • policy_sets: Apply the changes that you made to the policy sets only.
     • description: Apply the changes that you made to the posture description only.
     • policy_sets, description: Apply the changes that you made to the policy sets and posture description.
     • state: Apply the state change only.

   For example, to update a posture with the name posture-example-1 under the organization organizations/3589215982/locations/global and the revision ID set to abcd1234, run the following:

   gcloud scc postures update organizations/3589215982/locations/global/posture-example-1 --posture-from-file=posture.yaml --revision-id=abcd1234 --update-mask=policy_sets

   If the posture update process fails, troubleshoot the error, and try again.

3. To verify that the posture updated successfully, see View a posture.

Change the state of a posture

The state of a posture determines whether it is available for deployment to a project, folder, or organization.

A posture can have the following states:

• DRAFT: The posture revision is not ready for deployment. You cannot deploy a posture revision that is in the DRAFT state.

• ACTIVE: The posture revision is available for deployment. You can change the state from ACTIVE to DRAFT or DEPRECATED.

• DEPRECATED: A DEPRECATED posture revision cannot be deployed to a resource. You must delete all existing posture deployments of the posture before you can deprecate a posture revision. If you want to redeploy a posture revision that you deprecated, you must change its state to ACTIVE.

To change the state of a posture, run the gcloud scc postures update command. You can't update the posture state at the same time that you update other fields. For instructions about running the gcloud scc postures update command, see Modify a posture YAML file.

Update a posture deployment

Update a posture deployment on a project, folder, or organization to deploy a new posture or deploy a new revision of a posture.

If the posture revision that you're updating includes a custom organization constraint that was deleted using the Google Cloud console, you can't update the posture deployment using the same posture ID. The Organization Policy Service prevents the creation of custom organization constraints that have the same name. Instead, you must create a new version of the posture or use a different posture ID.

gcloud scc posture-deployments update \
POSTURE_DEPLOYMENT_NAME --description=DESCRIPTION \
--update-mask=UPDATE_MASK --posture-id=POSTURE_ID \
--posture-revision-id=POSTURE_REVISION_ID

gcloud scc posture-deployments update
organizations/3589215982/locations/global/postureDeployments/postureDeploymentexample
--posture-id=organizations/3589215982/locations/global/postures/StagingAIPosture
--posture-revision-id=version2

Monitor posture drift

You can monitor a deployed posture for drift from your defined policies within security posture. Drift is a change to a policy that occurs outside of a posture. For example, drift occurs when an administrator changes a policy definition in the console instead of updating the posture deployment.

The security posture service creates findings that you can view in the Google Cloud console or gcloud CLI whenever drift occurs.

gcloud scc findings list ORGANIZATION_ID \
--filter="category=\"SECURITY_POSTURE_DRIFT\""

For more information about addressing these findings, see Security posture service findings. You can export these findings in the same way that you export any other findings from Security Command Center. For more information, see Integration options and Exporting Security Command Center data.

To inactivate a drift finding, you can update the posture deployment with the same posture ID and posture revision.

Generate a drift finding for testing purposes

After you deploy a posture, you can monitor for drift from your policies. To see drift findings in action in a testing environment, complete the following:

1. In the console, go to the Organization policy page.

   Go to Organization policy

2. Edit one of the policies that you defined in the deployed posture. For example, if you use a predefined secure AI posture, you could edit the Restrict public IP access on new Vertex AI Workbench notebooks and instances policy.

3. After you change the policy, click Set Policy.

4. Go to the Findings page.

   Go to Findings

5. In the Quick filters pane, in the Source display name section, select Security Posture. A finding related to your change should appear within five minutes.

6. To view the details for the finding, click the finding.

Delete a posture deployment

You can delete a posture deployment if it didn't deploy properly, you no longer require a particular posture, or you no longer want a particular posture assigned to a project, folder, or organization. To delete a posture deployment, the posture deployment must be in one of the following states:

• ACTIVE
• CREATE_FAILED
• UPDATE_FAILED
• DELETE_FAILED

To verify the state of a posture deployment, see View information about a posture deployment.

When you delete a posture deployment, you remove the posture from the resource (your organization, folder, or project) that you assigned it to.

The output for different types of policies are:

• When you delete a posture deployment that includes custom organization policies, the custom organization policies are deleted. However, the custom constraint continues to exist.

• When you delete a posture deployment that includes built-in Security Health Analytics detectors, the final state of the Security Health Analytics modules is dependent on the organization, folder, or project on which the deployment existed.

  • If you deployed a posture on a folder or project, built-in Security Health Analytics detectors inherit their state from the parent organization or folder.
  • If you deployed a posture at the organization level, built-in Security Health Analytics detectors revert to the default state. For a description of the default states, see Enable and disable detectors.

Run the gcloud scc posture-deployments delete command to delete a posture deployment.

gcloud scc posture-deployments delete
POSTURE_DEPLOYMENT_NAME

POSTURE_DEPLOYMENT_NAME is the relative resource name for the posture deployment. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postureDeployments/POSTURE_DEPLOYMENT_ID.

• LOCATION is global.

• POSTURE_DEPLOYMENT_ID is the unique name for the posture deployment.

For example, to delete a posture deployment that is named organizations/3589215982/locations/global/postureDeployments/posture-deployment-example-1, run the following:

gcloud scc posture-deployments delete \
organizations/3589215982/locations/global/postureDeployments/posture-deployment-example-1

Delete a posture

When you delete a posture, you also delete all revisions. You can't delete a posture that is deployed. You must delete the posture deployment before you can complete this task.

Run the gcloud scc postures delete command to delete a posture.

gcloud scc postures delete POSTURE_NAME

POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID. The posture ID is an alphanumeric name for your posture that is unique to your organization. LOCATION is global.

For example, to delete a posture that is named organizations/3589215982/locations/global/postures/posture-example-1, run the following:

gcloud scc postures delete \
organizations/3589215982/locations/global/postures/posture-example-1

What's next

• Review information about security posture.

• Check the audit logs for posture-related operations.

• Export security posture service data.