Set up Security Command Center

This page shows you how to set up Security Command Center for your organization for the first time. If Security Command Center is already set up for your organization, see the guide for using Security Command Center.

Before you begin

Create an organization

Security Command Center requires an organization resource that is associated with a domain and, if you want to use the Premium tier, a billing account. If you haven't created an organization, see Creating and managing organizations.

Set up permissions

To set up Security Command Center, you need the following Identity and Access Management (IAM) roles:

  • Organization Admin roles/resourcemanager.organizationAdmin
  • Security Center Admin roles/securitycenter.admin
  • Security Admin roles/iam.securityAdmin
  • Create Service Accounts roles/iam.serviceAccountCreator

Learn more about Security Command Center roles.

Verify organization policies

If your organization policies are set to restrict identities by domain:

  • You must be signed in to the Google Cloud console on an account that's in an allowed domain.
  • Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement enables you to allow @*.gserviceaccount.com services access to resources when domain restricted sharing is enabled.

Setting up Security Command Center for your organization

To set up Security Command Center for your organization, choose the Security Command Center tier you want and enable the services or integrated sources that you want to display findings in the Security Command Center dashboard. Then you select the resources or assets to monitor and grant permissions for the Security Command Center service account.

Step 1: Choose your tier

The Security Command Center tier you select determines the features that are available to you and the cost of using Security Command Center. The following table provides an overview of the built-in Security Command Center services that are available with the Premium and Standard tiers:

Tier details

Standard tier features

  • Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:

    • DATAPROC_IMAGE_OUTDATED
    • LEGACY_AUTHORIZATION_ENABLED
    • MFA_NOT_ENFORCED
    • NON_ORG_IAM_MEMBER
    • OPEN_CISCOSECURE_WEBSM_PORT
    • OPEN_DIRECTORY_SERVICES_PORT
    • OPEN_FIREWALL
    • OPEN_GROUP_IAM_MEMBER
    • OPEN_RDP_PORT
    • OPEN_SSH_PORT
    • OPEN_TELNET_PORT
    • PUBLIC_BUCKET_ACL
    • PUBLIC_COMPUTE_IMAGE
    • PUBLIC_DATASET
    • PUBLIC_IP_ADDRESS
    • PUBLIC_LOG_BUCKET
    • PUBLIC_SQL_INSTANCE
    • SSL_NOT_ENFORCED
    • WEB_UI_ENABLED
  • Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
  • Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
  • Support for granting users Identity and Access Management (IAM) roles at the organization level.

  • Access to integrated Google Cloud services, including the following:

  • Integration with BigQuery, which exports findings to BigQuery for analysis.
  • Integration with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.

Premium tier features

The Premium tier includes all Standard tier features and adds the following:

  • Event Threat Detection uses threat intelligence, machine learning, and other advanced methods to monitor your organization's Cloud Logging and Google Workspace and detect the following threats:
    • Malware
    • Cryptomining
    • Brute force SSH
    • Outgoing DoS
    • IAM anomalous grant
    • Data exfiltration

    Event Threat Detection also identifies the following Google Workspace threats:

    • Leaked passwords
    • Attempted account breaches
    • Changes to 2-step verification settings
    • Changes to single sign-on (SSO) settings
    • Government-backed attacks
  • Container Threat Detection detects the following container runtime attacks:
    • Added Binary Executed
    • Added Library Loaded
    • Malicious Script Executed
    • Reverse Shell
  • Virtual Machine Threat Detection detects cryptocurrency mining applications running inside VM instances.

  • Security Health Analytics: the Premium tier includes managed vulnerability scans for all Security Health Analytics detectors (140+) and provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs.

    In the Premium tier, Security Health Analytics includes monitoring and reporting for the following standards:

    • CIS 1.2
    • CIS 1.1
    • CIS 1.0
    • PCI DSS v3.2.1
    • NIST 800-53
    • ISO 27001
  • Web Security Scanner in the Premium tier includes all Standard tier features and additional detectors that support categories in the OWASP Top Ten. Web Security Scanner also adds managed scans that are automatically configured. These scans identify the following security vulnerabilities in your Google Cloud apps:
    • Cross-site scripting (XSS)
    • Flash injection
    • Mixed-content
    • Clear text passwords
    • Usage of insecure JavaScript libraries
  • The Premium tier includes support for granting users IAM roles at the organization, folder, and project levels.
  • The Premium tier includes the Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
  • You can request for additional Cloud Asset Inventory quota if the need for extended asset monitoring arises.
  • Secured Landing Zone service service can be enabled only in the Security Command Center Premium tier. When enabled, this service displays findings if there are policy violations in the resources of the deployed blueprint, generates corresponding alerts, and selectively takes automatic remediation actions.

    • VM Manager vulnerability reports

    • If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

    For information about costs associated with using Security Command Center, see the pricing page.

    To subscribe to the Security Command Center Premium tier, contact your Google Cloud sales representative or Cloud partner.

    After you select the tier you want, start Security Command Center setup:

    1. Go to Security Command Center in the Google Cloud console.

      Go to Security Command Center

    2. On the Organization drop-down list, select the organization that you want to enable Security Command Center for, and then click Select.

    Next, you select the built-in services that you want to enable for your organization.

    Step 2: Choose services

    On the Choose services page, all built-in services are enabled by default at the organization level for the tier you selected. Each service scans all supported resources and report findings for your entire organization. To disable any of the services, click the drop-down list next to the service name and select Disable by default.

    The following are notes for specific services:

    • For Container Threat Detection to function properly, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE) and that your GKE clusters are properly configured. For more information, see Using Container Threat Detection.

    • Event Threat Detection relies on logs generated by Google Cloud. To use Event Threat Detection, you must enable logs for your organization, folders, and projects.

    • Anomaly Detection findings are automatically available in Security Command Center. Anomaly Detection can be disabled after onboarding by following the steps in Configuring Security Command Center.

    Next, you can optionally enable or disable services for individual resources.

    Step 3: Choose resources

    Security Command Center is designed to operate at the organization level. By default, resources inherit the service settings for the organization. All enabled services run scans for all supported resources in your organization. This configuration is the optimal operating mode to ensure that new and changed resources are automatically discovered and protected.

    If you don't want Security Command Center to scan your entire organization, you must exclude individual resources in the Advanced settings menu.

    1. Navigate to the Advanced settings menu and click the node to expand it.

      Advanced settings menu
      Advanced settings menu (click to enlarge)

    2. To change resource settings, click the drop-down list in the service column to choose an enablement option.

      • Enable by default: the service is enabled for the resource.
      • Disable by default: the service is disabled for the resource.
      • Inherit: the resource uses the service setting that's selected for its parent in the resource hierarchy.

    Clicking Search for a folder or project opens a window that lets you enter search terms to quickly find resources and change their settings.

    Next, you grant permissions to the Security Command Center service account.

    Step 4: Grant permissions

    When you enable Security Command Center, a service account is created for you in the following format:

    service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

    Replace ORGANIZATION_ID with the numerical identifier of your organization.

    This service account has the following IAM roles at the organization level:

    • securitycenter.serviceAgent enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis. To learn about the permissions associated with this role, see access control.
    • serviceusage.serviceUsageAdmin. To learn more about how this role is used, see What is Service Usage?
    • cloudfunctions.serviceAgent

    To automatically grant these roles to the service account, click Grant Roles. If you prefer to grant the required roles manually using the Google Cloud CLI:

    1. Click to expand the grant roles manually section and then copy the gcloud CLI command.
    2. On the Google Cloud console tool bar, click Activate Cloud Shell.
    3. In the terminal window that appears, paste the gcloud CLI commands you copied, and then press Enter.

    The required roles are granted to the Security Command Center service account.

    Next, you confirm Security Command Center setup and the Security Command Center Explore page is displayed.

    Step 5: Wait for scans to complete

    When you finish setup, Security Command Center starts an initial asset scan, after which you can use the dashboard to review and remediate Google Cloud security and data risks across your organization. There may be a delay before scans are started for some products. Read Security Command Center latency overview to learn more about the activation process.

    To learn more about each built-in service, review the guides available on this site.

    What's next