Setting up Security Command Center
This page shows you how to set up Security Command Center for your organization for the first time. If Security Command Center is already set up for your organization, see the guide for using Security Command Center.
Before you begin
Create an organization
Security Command Center requires an organization resource that is associated with a domain and, if you want to use the Premium tier, a billing account. If you haven't created an organization, see Creating and managing organizations.
Set up permissions
To set up Security Command Center, you need the following Identity and Access Management (IAM) roles:
- Organization Admin
- Security Center Admin
- Security Admin
- Create Service Accounts
Learn more about Security Command Center roles.
Verify organization policies
If your organization policies are set to restrict identities by domain:
- You must be signed in to the Google Cloud Console on an account that's in an allowed domain.
- Your service accounts must be in an allowed domain, or members of a group
within your domain. This requirement enables you to allow
@*.gserviceaccount.comservices access to resources when domain restricted sharing is enabled.
Setting up Security Command Center for your organization
To set up Security Command Center for your organization, choose the Security Command Center tier you want and enable the services or integrated sources that you want to display findings in the Security Command Center dashboard. Then you select the resources or assets to monitor and grant permissions for the Security Command Center service account.
Step 1: Choose your tier
The Security Command Center tier you select determines the features that are available to you and the cost of using Security Command Center. The following table provides an overview of the built-in Security Command Center services that are available with the Premium and Standard tiers:
Standard tier features
The Premium tier includes all Standard tier features and adds the following:
Event Threat Detection also identifies the following Google Workspace threats:
VM Manager vulnerability reports
For information about costs associated with using Security Command Center, see the pricing page.
To subscribe to the Security Command Center Premium tier, contact your sales representative or fill out our Premium inquiry form. You should receive a response within two US business days. If you don't subscribe to the Premium tier, then the Standard tier is available.
After you select the tier you want, start Security Command Center setup:
Go to Security Command Center in the Cloud Console.
On the Organization drop-down list, select the organization that you want to enable Security Command Center for, and then click Select.
Next, you select the built-in services that you want to enable for your organization.
Step 2: Choose services
On the Choose services page, all built-in services are enabled by default at the organization level for the tier you selected. Each service scans all supported resources and report findings for your entire organization. To disable any of the services, click the drop-down list next to the service name and select Disable by default.
The following are notes for specific services:
For Container Threat Detection to function properly, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE) and that your GKE clusters are properly configured. For more information, see Using Container Threat Detection.
Event Threat Detection relies on logs generated by Google Cloud. To use Event Threat Detection, you must enable logs for your organization, folders, and projects.
Anomaly Detection findings are automatically available in Security Command Center. Anomaly Detection can be disabled after onboarding by following the steps in Configuring Security Command Center.
Next, you can optionally enable or disable services for individual resources.
Step 3: Choose resources
Security Command Center is designed to operate at the organization level. By default, resources inherit the service settings for the organization. All enabled services run scans for all supported resources in your organization. This configuration is the optimal operating mode to ensure that new and changed resources are automatically discovered and protected.
If you don't want Security Command Center to scan your entire organization, you must exclude individual resources in the Advanced settings menu.
Navigate to the Advanced settings menu and click the node to expand it.
To change resource settings, click the drop-down list in the service column to choose an enablement option.
- Enable by default: the service is enabled for the resource.
- Disable by default: the service is disabled for the resource.
- Inherit: the resource uses the service setting that's selected for its parent in the resource hierarchy.
Clicking Search for a folder or project opens a window that lets you enter search terms to quickly find resources and change their settings.
Next, you grant permissions to the Security Command Center service account.
Step 4: Grant permissions
When you enable Security Command Center, a service account is created for you in
the format of
This service account has the following IAM roles at the
securitycenter.serviceAgentenables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis. To learn about the permissions associated with this role, see access control.
serviceusage.serviceUsageAdmin. To learn more about how this role is used, see What is Service Usage?
To automatically grant these roles to the service account, click Grant
Roles. If you prefer to grant the required roles manually using the
gcloud command-line tool:
- Click to expand the grant roles manually section and then copy the
- On the Cloud Console tool bar, click Activate Cloud Shell.
- In the terminal window that appears, paste the
gcloudtool commands you copied, and then press Enter.
The required roles are granted to the Security Command Center service account.
Next, you confirm Security Command Center setup and the Security Command Center Explore page is displayed.
Step 5: Wait for scans to complete
When you finish setup, Security Command Center starts an initial asset scan, after which you can use the dashboard to review and remediate Google Cloud security and data risks across your organization. There may be a delay before scans are started for some products. Read Security Command Center latency overview to learn more about the activation process.
To learn more about each built-in service, review the guides available on this site.