To get the latest product updates delivered to you, add the URL of this page to your feed reader.
May 10, 2019
Using VPC Service Controls currently blocks Cloud SCC asset discovery inside VPC Service perimeters for the following asset types:
- Compute Engine
- VPN Tunnels
- Cloud Storage Buckets
- GKE Clusters
This is expected to be fixed in a future release.
For information about troubleshooting access issues, see VPC Service Controls Troubleshooting. To work around the access to these assets, see Granting access from the internet with access levels.
April 10, 2019
Welcome to the Cloud SCC GA! These release notes include updated items from beta and new items for GA.
gcloud command-line tool support for
Cloud SCC is now available.
There are now client libraries available for C#, Go, Java, Node.JS, PHP, Python, and Ruby.
Previously only active state findings were shown in the UI. You can now also choose to show inactive state findings.
GroupFindings now supports comparison between two points in time.
For more information, see the
Assets now include Cloud IAM information for organizations, projects, Compute Engine, Cloud Storage, and others where applicable. Cloud IAM Policy information can be searched, filtered, and joined with all other Asset information and Security Marks.
Native integration with Security Health Analytics for native managed vulnerability scanning.
Native integration with Event Threat Detection for log-based threat detection.
Native integrations with Phishing Protection.
The Cloud SCC dashboard now enables you to select whether just active state findings are displayed or both active and inactive.
The Cloud SCC dashboard now enables you to set active or inactive state for each finding.
The Cloud SCC dashboard now enables you to perform a time-diff query for a fixed set of time periods.
You can now export Cloud SCC data as filtered Asset or Findings data to the Cloud Storage bucket and project you select.
Hello World example app is expanded to include Cloud Functions functions for: removing bucket ACLs, deleting firewall rules, and creating a VM snapshot.
New example apps are available for:
- Integrations with Access Transparency Logs, Audit Logging, and Binary Authorization.
- Connecting to Splunk.
For more information, see Cloud SCC tools.
Additional security partner integrations through Marketplace.
Sorting on Asset ID column on the asset page doesn't work as expected.
Sorting on the following findings page columns doesn't work as expected:
Sorting isn't supported for source properties and security marks on the findings changed page.
After you've created a new asset, the new asset won't appear in Cloud SCC until it's rescanned. To see current asset state before the daily rescan, trigger an on-demand re-scan and then wait at least 5 minutes to see the new asset appear in Cloud SCC.
After you've made a Cloud IAM policy change on an asset, the updated policy won't appear in Cloud SCC until it's rescanned. To see current Cloud IAM policy before the daily rescan, trigger an on-demand re-scan and then wait at least 10 minutes to see the updated Cloud IAM policies in Cloud SCC.
Code examples are still in progress for C#, Node.js, PHP, and Ruby.
December 5, 2018
Welcome to the Cloud SCC beta! These release notes include updated items from alpha and new items for beta.
Cloud SCC has a replacement set of fine grain Cloud IAM roles. Instead of just Security Center Editor and Security Center Viewer, we now offer 13 new roles to enable separation of privilege on each of the Cloud SCC resources: assets, findings, and marks. For more information, see Access control.
The roles Security Center Editor and Security Center Viewer are now deprecated in Beta. If you're an alpha customer, you'll need to update all of your existing Cloud SCC users:
- Existing Security Center Editor - grant Security Center Admin Editor
- Existing Security Center Viewer - grant Security Center Admin Viewer
Cloud SCC also now thas a Security Center Admin role for superusers.
The beta API is different from the alpha API and includes new endpoint, methods, properties and attributes. For details, see the Cloud SCC API references.
For assets and findings, the attribute and property names - also called "fields" - have been updated from alpha. This will require changes to existing scripts. The table below provides details about the new fields.
||Identifier of the GCP resource. Alpha version used abbreviated hierarchical path while Beta version uses the full resource name.|
||References the GCP resource’s parent. Beta version uses the parent’s full resource name.|
||The GCP project the resource belongs to.|
||The type of the resource.|
||The owners of the resource.|
||The properties of the resource.|
||Security marks on the asset, if any.|
||Time the asset was last updated.|
||Time the asset (not the GCP resource) was first created.|
Identifier of the finding. Beta version is the full path, like
||The GCP resource's full name. The Alpha version referenced the Alpha Asset Id, while the Beta version references the GCP resource’s full name.|
||The finding’s parent is the source it belongs to.|
||The state of the finding.|
||The category of the finding.|
||The external URI of the finding.|
||The properties of the finding's source.|
||Security marks on the finding, if any.|
||The time of the last event associated with the finding.|
||The time when the finding was first created.|
The Beta findings database is in Cloud Spanner. This is a change from the Alpha database, which was in Cloud SQL. This will provide required performance and reliability at scale, however, alpha findings, findings history, and marks on findings are not automatically preserved in the transition from Alpha to Beta. Your Beta databases will be empty, and you have the following options to access Beta findings details:
- Alpha API endpoint and surface and the Alpha Findings database will be live for up to a quarter after the Beta launch. During this time, you can use the API to access Alpha findings. These findings won't be displayed in the Beta UI.
- For Forseti, version 2.8 includes the Cloud SCC Beta API integration. If you're a Forseti customer, you can start writing your Forseti findings to the Beta database to transition.
We've added new options for finding source management, including a separate finding source registration, onboarding process, and management system. This provides control over the security sources that are allowed to write into your customers' findings database.
Cloud SCC now enforces 13-month live data storage. If you're an Alpha Cloud SCC customer who has more than 13 months of asset or findings data, we will work with you to select a cutover date.
Assets are now automatically scanned two times each day, instead of only one time. You can still start an asset scan manually using the Cloud SCC dashboard.
In alpha, the Cloud SCC dashboard didn't support clicking through to the specific new or deleted assets that are identified in the Assets dashboard card. In beta, the Assets Changed view enables you to examine new or deleted assets.
In alpha, there wasn't an exposed discovery or scan completion signal. In beta, `RunAssetDiscovery` returns as a long-running operation that allows the caller to monitor completion.
Sorting now works for
Asset inventory now includes Google Kubernetes Engine, Container Registry, Service Networking, Cloud DNS, Cloud Spanner, and Service Accounts, in addition to the previously included App Engine, Compute Engine, and Cloud Storage.
Cloud SCC now includes native Beta security findings API integrations for Cloud Security Scanner, Cloud DLP Data Discovery, Cloud Anomaly Detection, and Forseti. Note that the Forseti integration is also a first example of a new partnership with the Cloud Marketplace team.
We now offer a Cloud Marketplace based self-serve onboarding flow for opting in to Cloud SCC and adding 3rd party finding sources.
The Cloud SCC dashboard now offers new time-based search capabilities - on, before, and after.
The Cloud SCC dashboard now includes an "Asset changed" tab that can display a time diff view of changes in assets.
The Cloud SCC dashboard now has a "Settings" tab that enables you to manage permissions and security sources, and control which GCP assets are included or excluded from discovery. For more information, see Settings.
Cloud SCC documentation now includes code examples for App Engine apps to customize queries that trigger Cloud Pub/Sub notifications or Cloud Functions actions in response to detected security vulnerabilities or threats.
Organizations that have a significantly large number of assets might experience performance issues when creating marks in the Cloud SCC dashboard or when performing some expensive queries, like "group by" queries.
The Cloud SCC dashboard only shows active findings. To get inactive findings, you must use the Cloud SCC API.
Out of order updates from findings sources might not appear correctly in all cases.
Results from the automatic and manual snapshot
asset scans can show some variance in the
resource_properties.updateTime value within the
same scan. This variance is typically less than 10 minutes.
The Cloud SCC dashboard doesn't currently display
a discovery or scan completion signal. This will be added in a future release.
You can use the API method
organizations.assets.runDiscovery, that returns an
object you can use to check completion.
The search window supports support auto-complete for keys and partial match for values, but it doesn't support wild cards at this time.
Sorting currently doesn't work for
Sorting by marks can result in unexpected ordering, depending on which marks you select for sorting.
Custom column display selection and column sorting isn't preserved when you leave the asset inventory page.
Stackdriver log integration isn't currently supported. This will be added in a future release.
gcloud support for
Cloud SCC isn't included at this time. There are Python, Node,
Java, and Go client libraries available. You can also use cURL, httpie, or
your preferred scripting option.
will be included in a future release.
Not all asset updates are event-driven. Some assets are updated periodically in a polling manner. This usually completes within 10 minutes, but there might be an extended delay for large projects inside the organization.
- Findings inventory freshness depends on finding sources.
- Freshness in the Cloud SCC dashboard is usually <1 minute after ingestion from the finding source.
- Assets that haven't been discovered and indexed in a daily or manual scan will usually appear within 1 minute in the Findings inventory.
Asset inventory freshness depends on discovery and indexing of the asset
- Freshness is usually <1 minute for pre-existing assets.
- Assets that haven't been discovered and indexed in a daily or manual scan will appear in Asset inventory after the asset they're attached to is discovered and indexed.