{% setvar global_tools_version %}3.4.0{% endsetvar %}

Quickstart for Cloud Security Command Center

This page walks you through setting up Cloud Security Command Center (Cloud SCC) for your organization, accessing Cloud SCC, and using some basic features to configure the display and review your Google Cloud Platform (GCP) resources.

Before you begin

To use Cloud SCC, you must have a Cloud Identity and Access Management (Cloud IAM) role that includes appropriate permissions:

  • To set up Cloud SCC for the first time for your organization, you must have the Cloud IAM Organization Administrator role - roles/resourcemanager.organizationAdmin. Learn more about managing organizations.
    • If your organization policies are set to restrict identities by domain, you must be signed in to the GCP Console on an account that's in an allowed domain.
  • If Cloud SCC is already set up for your organization and you only want to use Cloud SCC, you must have one of the following Cloud IAM roles:
    • To view Cloud SCC, you must have the Security Center Admin Viewer Cloud IAM role.
    • To make changes to Cloud SCC, you must have an appropriate editor role, like Security Center Admin Editor.
      Learn more about Cloud SCC roles.

Setting up Cloud SCC for your organization

To set up Cloud SCC for your organization, you'll first add Cloud IAM roles, then enable the Cloud SCC dashboard, and finally enable security sources to surface findings in the Cloud SCC dashboard.

To complete this section, you must have the Organization Administrator role for the organization. Learn more about managing organizations.

Step 1: Add Cloud IAM roles

To enable the Cloud SCC service, you must have the Security Center Admin Cloud IAM role. You must add this role for yourself even if you're the organization owner.

  1. Go to the GCP Console IAM & Admin page.
    Go to the IAM & Admin page
  2. Click the Project selector drop-down list at the top of the page.
  3. On the Select from dialog that appears, select the organization for which you want to enable Cloud SCC.
  4. On the IAM page, next to your username, click Edit.
  5. On the Edit permissions panel that appears, click Add another role.
  6. On the Select a role drop-down list, select Security Command Center > Security Center Admin.
  7. If you don't already have the Organization Administrator role, repeat the steps above to add the role. If you don't have permissions to add the role, ask your organization super admin to grant you the role.
  8. When you're finished adding roles, click Save.

You now have the Security Center Admin Cloud IAM and Organization Administrator roles for your organization.

Step 2: Enable the Cloud SCC dashboard

  1. Go to the GCP Console Security Command Center Marketplace page.
    Go to the Security Command Center Marketplace page
  2. On the Marketplace page, click Go to Cloud Security Command Center.
  3. The GCP Console Security Command Center page loads automatically.
  4. On the Organization drop-down list, select the organization for which you want to enable Cloud SCC, and then click Select.
  5. On the Enable asset discovery page that appears, select All current and future projects, and then click Enable. A message should display that Cloud SCC is beginning asset discovery.
    • A message might display that the service can't be enabled and that you must have the Security Center Admin and Organization Admin roles for the current organization. If you already have these roles, check if your organization policies are set to restrict identities by domain, and make sure that you're signed into an account that's in an allowed domain.

After asset discovery is complete, Cloud SCC will display your supported GCP assets. This might take a few minutes, and you might need to refresh the page to display the assets.

Step 3: Enable security sources

To view findings in the Cloud SCC dashboard, you need to enable the security scanners you're using as security sources. Cloud Anomaly Detection findings are automatically available, and Cloud Security Scanner findings will be available if you've completed the Cloud Security Scanner quickstart.

To enable a security source, follow the steps below:

  1. Go to the GCP Console Security Command Center page.
    Go to the Security Command Center page
  2. Click Settings on the top right, and then select the Security Sources tab.
  3. Under Enabled, click the toggle next to the security source you want to enable.

Findings for the security sources you select will display in the Findings cards on the Cloud SCC dashboard.

Accessing the dashboard

This section walks you through accessing Cloud SCC and using some basic features to configure the display and review your GCP resources.

To access the Cloud SCC dashboard:

  1. Go to the GCP Console Security Command Center page.
    Go to the Security Command Center page
  2. Select the organization you want to review.

The Cloud SCC dashboard displays a basic overview of potential security risk findings. The dashboard includes the summary cards described below.

Viewing Assets Summary

Assets Summary displays a count of each type of asset in your organization as of the most recent scan. The assets display includes new, deleted, and total assets for the time period you specify. You can view the summary as a table or a graphical chart.

  • To view asset details for a specific time range, select a range from the drop-down list at the top of the Assets card.
    • To view asset details from a specific date and time, click View all assets, then select the date and time on the time drop-down list on the top right.
  • To display more detail about individual assets and your organization's tree hierarchy, click View all assets or any asset type under Assets Summary.

Viewing Findings Summary

Findings Summary displays a count of each category of finding that the enabled finding sources provide. You can group Findings by the finding source type to help you identify which detector is the source, or by detection category type like cross-site scripting (XSS) or coin-mining.

  • To display detail about all findings, click the Findings tab on the dashboard.
  • To display details about findings in a specific category, click the finding under category.

Running common queries

This section describes how to run common queries to review your resources using Cloud SCC. You can only select these filters in the Cloud SCC dashboard if your organization has the related resource type.

Find buckets with public legacy ACLs

  1. Go to the Google Cloud Platform Console Security Command Center > Assets page.
    Go to the Assets page
  2. In the Filter by text box:
    1. Type resource_properties.acl:allUsers, and then press Enter.
    2. Click the Filter by text box, and then select OR on the drop-down list.
    3. Type resource_properties.acl:allAuthenticatedUsers, and then press Enter.

Find firewall rules with SSH port 22 open

The following filter finds firewall rules with SSH port 22 open from any network.

  1. Go to the Google Cloud Platform Console Security Command Center > Assets page.
    Go to the Assets page
  2. In the Filter by text box:
    1. Type `resource_properties.allowed:22', and then press Enter.
    2. Click the Filter by text box, and then select OR on the drop-down list.
    3. Type 'resource_properties.sourceRange:0.0.0.0/0`, and then press Enter.

Find VMs with public IP addresses

  1. Go to the Google Cloud Platform Console Security Command Center > Assets page.
    Go to the Assets page
  2. In the Filter by text box, enter resource_properties.networkInterface:externalIP.

Find resource owners outside your organization

  1. Go to the Google Cloud Platform Console Security Command Center > Assets page.
    Go to the Assets page
  2. In the Filter by text box, enter -resourceOwners:@**[YOUR_DOMAIN]**.

Find and monitor OS state in VMs

  1. Go to the Google Cloud Platform Console Security Command Center > Assets page.
    Go to the Assets page
  2. In the Filter by text box, enter resource_properties.disk:licenses.
  3. On the top right of the displayed resources, click Columns, and then select disk under Resource Properties.

Cloud SCC Settings

Cloud SCC settings enable you to manage the settings listed below. To access settings, click Settings on the Cloud SCC dashboard.

Asset Monitoring

By default, Cloud SCC discovers assets within each project during asset discovery. Settings > Asset Monitoring enables you to include or exclude specific projects to be scanned for asset discovery. To configure asset monitoring select one of the available options:

  • All current and future projects: the default state in which assets within all your projects are scanned for asset discovery.
  • Include projects: enables you to select specific projects that will be scanned for asset discovery.
  • Exclude projects: enables you to select specific projects that won't be scanned for asset discovery.

After you save changes to Asset Monitoring, asset discovery will run and refresh the Assets display.

Permissions

Settings > Permissions enables you to view and configure Cloud IAM roles for Cloud SCC. You can view permissions by Members or by Roles. To add or remove Cloud SCC Cloud IAM roles for a user, click Edit next to their username, then add or remove roles on the Edit permissions panel that appears.

Security Sources

Cloud SCC includes default sources like Cloud Anomaly Detection, Cloud Security Scanner, and Cloud DLP Data Discovery. Security sources settings enable you to do the following:

  • Add new sources by clicking Add Security Sources on the GCP Console Security Command Center. For more information, see Adding security sources.
  • Enable or disable any of the default sources, and any new sources you've added. To turn a source on or off, click the toggle under Enabled next to the source.

For more information about the security sources available in Cloud SCC, see viewing vulnerabilities and threats.

What's next

Esta página foi útil? Conte sua opinião sobre:

Enviar comentários sobre…

Cloud Security Command Center
Precisa de ajuda? Acesse nossa página de suporte.