Setting up Security Command Center

Set up Security Command Center for your organization for the first time. If Security Command Center is already set up for your organization, see the guide to using Security Command Center.

Before you begin

Set up permissions

To set up Security Command Center, you need the following Identity and Access Management (IAM) roles:

  • Organization Admin roles/resourcemanager.organizationAdmin
  • Security Center Admin roles/securitycenter.admin
  • Security Admin roles/iam.securityAdmin
  • Create Service Accounts roles/iam.serviceAccountCreator

Learn more about Security Command Center roles.

Verify organization policies

If your organization policies are set to restrict identities by domain:

  • You must be signed in to the Cloud Console on an account that's in an allowed domain;
  • Your service accounts must be in an allowed domain, or members of a group within your domain. This enables you to allow @*.gserviceaccount.com services access to resources when domain restricted sharing is enabled.

If you're using VPC Service Controls, you must grant access to the Security Command Center service account after you enable Security Command Center.

Setting up Security Command Center for your organization

To set up Security Command Center for your organization, choose the Security Command Center tier you want, enable the services or security sources that you want to display findings in the Security Command Center dashboard, select the resources or assets to monitor, and then grant permissions for the Security Command Center service account.

Step 1: Choose your tier

The Security Command Center tier you select affects the features that are available to you, and the cost of using Security Command Center. The following table provides an overview of the built-in Security Command Center services that are available with the Premium and Standard tiers:

Tier details

Standard tier features

  • Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. This includes detection of:
    • Publicly exposed assets, like Buckets, SQL Instances, Datasets, and VMs.
    • Misconfigured firewalls, like Open Firewalls and Overly Permissive Firewalls.
    • Insecure IAM configurations.

Premium tier features

  • Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available to detect the following threats:
    • Malware
    • Cryptomining
    • Brute force SSH
    • Outgoing DoS
    • IAM anomalous grant
  • Container Threat Detection detects the following container runtime attacks:
    • Suspicious binary
    • Suspicious library
    • Reverse shell
  • Security Health Analytics: in the Premium tier, Security Health Analytics provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs.

    In the Premium tier, Security Health Analytics includes monitoring and reporting for:

    • CIS 1.0
    • PCI DSS v3.2.1
    • NIST 800-53
    • ISO 27001
  • Web Security Scanner provides managed scans that identify the following security vulnerabilities in your Google Cloud apps:
    • Cross-site scripting (XSS)
    • Flash injection
    • Mixed-content
    • Clear text passwords
    • Usage of insecure JavaScript libraries

For information about costs associated with using Security Command Center, see the pricing page.

To subscribe to the Security Command Center Premium tier, contact your sales representative or contact us. If you don't subscribe to the Premium tier, then the Standard tier will automatically be available.

If your organization is already using Security Command Center, when you upgrade to the Premium or Standard tier, all of the new features of that tier are enabled. After you upgrade to the Premium or Standard tier, you can only switch between them—you cannot switch back to Legacy Security Command Center.

After you select the tier you want, start Security Command Center setup:

  1. Go to the Security Command Center page in the Cloud Console.
    Go to the Security Command Center page
  2. On the Organization drop-down list, select the organization that you want to enable Security Command Center for, and then click Select.

Next, you select the built-in services that you want to enable for your organization.

Step 2: Choose services

Anomaly Detection findings are automatically available in Security Command Center. To display findings from other security sources in the Security Command Center dashboard, you need to enable the services you want to use as security sources.

On the Choose services page, all of the built-in services are enabled at the organization level for the Security Command Center tier you selected. To disable any of the services, click the toggle next to the service name.

When you enable Container Threat Detection as a service, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). For more information, see using Container Threat Detection.

Next, you can optionally enable or disable services for individual resources.

Step 3: Choose resources

The Resources tab lets you change supported service settings for each supported resource. By default, resources inherit the service settings for the organization. To optionally enable or disable services for individual resources, click the drop-down list in the service column to select service enablement on a resource.

  • On: the service is enabled for the resource.
  • Off: the service is disabled for the resource.
  • Inherit from parent resource: the resource uses the service setting that's selected for its parent in the resource hierarchy.

Next, you grant permissions to the Security Command Center service account.

Step 4: Grant permissions

When you enable Security Command Center, a service account is created for you in the format of service-org-organization-id@security-center-api.iam.gserviceaccount.com. This service account has the following IAM roles at the organization level:

  • securitycenter.serviceAgent enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis. To learn about the permissions associated with this role, see access control.
  • serviceusage.serviceUsageAdmin. To learn more about how this role is used, see What is Service Usage?
  • cloudfunctions.serviceAgent

To automatically grant these roles to the service account, click Grant Roles. If you prefer to grant the required roles manually using the gcloud command-line tool:

  1. Click to expand the grant roles manually section and then copy the gcloud tool command.
  2. On the Cloud Console tool bar, click Activate Cloud Shell.
  3. In the terminal window that apepars, paste the gcloud tool commands you copied, and then press Enter.

The required roles are granted to the Security Command Center service account.

Next, you confirm Security Command Center setup and the Security Command Center Explore page is displayed.

Step 5: Wait for scans to complete

When you finish setup, Security Command Center starts an initial asset scan. The asset scan should be complete within minutes. After Security Command Center completes the asset scan, you can use the dashboard to review and remediate Google Cloud security and data risks across your organization. Findings from built-in services are available as each service completes its initial scans:

  • Container Threat Detection has the following latencies:
    • Activation latency of one hour for newly onboarded organizations.
    • Activation latency of one hour for newly created clusters.
    • Detection latency of minutes for threats in clusters that have been activated.
  • Event Threat Detection activation has latency on the order of seconds and end-to-end latencies will be under 15 minutes for 99th percentile latency as measured over a 30-day period.
  • Security Health Analytics scans start approximately one hour after the service is enabled. Security Health Analytics scans can take up to 12 hours to complete the first time it runs.
  • Web Security Scanner scans can take up to 24 hours to start after the service is enabled. In most cases, Web Security Scanner scans will start approximately one hour after implementation.

To learn more about each built-in service, review the guides available on this site.

What's next