Overview of activating Security Command Center

You can activate Security Command Center at different tiers: Standard, Premium, or Enterprise. If you select the Standard tier or the Premium tier, you can activate Security Command Center for an entire organization (organization-level activation) or for individual projects (project-level activation). If you select the Enterprise tier, you can activate Security Command Center at the organization level only.

The activation process is different for the different tiers. Also, when you activate Security Command Center at the project level, certain detection modules and service integrations are not available, due to Security Command Center's reduced scope of access.

If you require data-residency control, which is currently released to Preview, you must enable it when you activate Security Command Center. Data residency control is supported only with organization-level activations of the Standard tier or the Premium tier.

Overview of organization-level activation

Activating Security Command Center at the organization level is considered a best practice because it provides the most complete protection for your business by allowing Security Command Center to access and scan resources and assets across all of the folders and projects in the organization.

With the appropriate IAM permissions, you can activate the Standard tier for an organization yourself by using the Google Cloud console.

To activate the Premium tier for an organization, you use pay-as-you-go pricing. The pay-as-you-go pricing gives you the flexibility to base your Security Command Center charges on usage of Google Cloud services. Your usage is charged to the billing accounts associated with the projects in your organization. With the appropriate IAM permissions, you can activate the Premium tier using the pay-as-you-go option yourself by using the Google Cloud console.

To activate the Enterprise tier for an organization, you must purchase a subscription from Google Cloud sales or your Google Cloud partner.

For more information about the pricing options for the Enterprise tier or the Premium tier, see Pricing.

You use the Google Cloud console to enable and configure Security Command Center. If you are enabling Security Command Center for the first time, the Google Cloud console guides you through the setup.

For step-by-step instructions on enabling and configuring Security Command Center for an organization, see one of the following:

Overview of project-level activation

Activating Security Command Center on an individual project gives you the flexibility to use Security Command Center for only the projects that matter to you most and to base your Security Command Center charges on the resource usage in that project alone.

For a project-level activation, you can activate the Standard or Premium tiers of Security Command Center yourself in the Google Cloud console, as long as you have the appropriate IAM permissions. You don't need to contact Sales first.

With project-level activations, the charges for the Premium tier are based on the usage of certain Google Cloud resources in the project and are billed to the project by using a pay-as-you-go model.

When you activate Security Command Center at the project level, Security Command Center's access to logs, data, and other resources is limited to the project in which it is activated. Consequently, any services that require data from outside of the project are either not available or they cannot produce their full set of findings. For more information about the findings and services that are not available with a project-level activation, see Feature availability with project-level activations.

Data residency control is not supported with project-level activations of Security Command Center.

Optimize project-level activations by activating the Standard tier at the organization level

To optimize project-level activations of the Premium tier, we recommend that you activate the Standard tier of Security Command Center at the organization level.

Activating the Standard tier at the organization level lets you manage multiple project-level activations globally and ensures that any Standard-tier detection modules or service integrations that require organization-level activation are available to the projects.

For more information, see Standard tier features that require an organization-level activation.

When to use project-level activation

Typically, you activate Security Command Center for a project in the following scenarios:

  • Your organization doesn't currently use Security Command Center at any tier. In this case, you can activate Security Command Center for a project at either the Standard tier or the Premium tier.
  • The organization is currently using the Standard tier. In this case, you can activate only the Premium tier for a project, because every project in the organization can already use the Standard tier.
  • The organization is currently using the Premium tier, but you only require Security Command Center Premium tier for particular projects. In this case, you must downgrade the organization-level activation to the Standard tier for the project-level Premium tier activation to take effect. If you are using an organization-level subscription, this change only comes into effect after the subscription expires.

View your current activation type

The activation type for Security Command Center determines whether Security Command Center is activated at the project level or the organization level, the tier, and the pricing option.

When you open a project in the Google Cloud console, the level at which Security Command Center is activated—the project level or the organization level—is not immediately obvious, because the project could be inheriting the use of Security Command Center from its parent organization.

To determine whether Security Command Center is already activated and to view your current activation type for Security Command Center, complete the following:

  1. In the Google Cloud console, go to Security Command Center:

    Go to Security Command Center

  2. Select the organization or project that you need to check.

  3. If Security Command Center is active in either the organization or the project, the Security Command Center Overview page displays. If it is not active in either, the Get Security Command Center page displays. For activation instructions, see Activate Security Command Center for an organization or Activate Security Command Center for a project.

  4. On the Security Command Center Overview page for the organization or project, select Settings.

  5. On the Settings page, select the Tier detail tab.

  6. On the Tier detail tab, determine your activation type by checking the Tier and Billing status rows:

    • Tier: Shows the tier (Enterprise, Premium, or Standard) for the organization or project. If the organization is set to the Enterprise or Premium tier, all projects inherit the Enterprise or Premium tier automatically and the Google Cloud console displays a banner that describes this inheritance. When the organization is set to the Enterprise or Premium tier, then, at the project level, this setting shows the tier that the project will use if you downgrade the organization's tier to the Standard tier.

    • Billing row: One of the following:

      • Active: Indicates that your Premium tier pricing is using the pay-as-you-go option for the organization or project.

      • Paused: Indicates that the Enterprise or Premium tier is active at the organization level and being inherited by this project.

      • Expiry date: Indicates that your organization-level activation of Enterprise or Premium tier is using a subscription.

      • If the billing row isn't shown: Indicates that the Standard tier is active for the organization or project. Projects can inherit the Standard tier from the organization.

    Text above the Manage tier button in the Google Cloud console describes what tiers and activation options are available to you.

    • Add-ons: Shows any Security Command Center add-ons that have been granted through subscriptions to other Google Cloud products. These add-ons automatically grant access to a limited number of relevant Premium tier services and detection modules.

View when Security Command Center was activated

To find out when Security Command Center was activated, you can use a Cloud Logging query. This query returns results if the activation was completed during the log retention period.

  1. In the Google Cloud console, go to the Logs Explorer page:

    Go to Logs Explorer

  2. Select the organization that you activated Security Command Center in.
  3. Run the following query:

       protoPayload.serviceName="securitycenter.googleapis.com"
       protoPayload.request.securityHealthAnalyticsSettings.serviceEnablementState="ENABLED"