This document describes how to activate Security Command Center Premium for an organization through the Google Cloud console. Activating Security Command Center Premium automatically enables a variety of services.
For more information about Security Command Center Premium, see Security Command Center service tiers.
To activate Security Command Center for a different service tier, see the following:
- Activate the Security Command Center Standard tier for an organization
- Activate the Security Command Center Enterprise tier
To activate Security Command Center for a project only, see Activate Security Command Center for a project.
Before you begin
Before you activate Security Command Center Premium for an organization, you need to do the following:
- Obtain specific Identity and Access Management (IAM) roles and permissions.
- Optional: Enable additional APIs.
- Review your organization policies, if applicable to your organization.
- If you plan to enable data residency, review Planning for data residency and determine which location to use.
- If you plan to use a customer-managed encryption key (CMEK), complete the required tasks for enabling CMEK for Security Command Center.
You can configure data residency and data encryption when you activate Security Command Center. To change these settings after you activate Security Command Center Standard or Premium, see Modify data residency or data encryption configuration.
Required roles
To get the permissions that you need to activate Security Command Center for an organization, ask your administrator to grant you the following IAM roles on your organization:
- Security Center Admin (
roles/securitycenter.admin) - Organization Administrator (
roles/resourcemanager.organizationAdmin)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Enable the Security Center Management API
If you plan to use the Security Center Management API, enable this API in the project where you plan to call it:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM
role (roles/serviceusage.serviceUsageAdmin), which
contains the serviceusage.services.enable permission. Learn how to grant
roles.
Review organization policies
If your organization policies are set to restrict identities by domain, confirm the following:
- You must be signed in to the Google Cloud console on an account that's in an allowed domain.
- Your service accounts must be in an allowed domain, or members of a group
within your domain. This requirement lets you allow services that use the
@*.gserviceaccount.comservice account to access resources when domain restricted sharing is enabled.
If your organization policies are set to restrict resource usage, verify that the following APIs are allowed by your policy:
cloudsecuritycompliance.googleapis.comsecuritycenter.googleapis.comsecuritycentermanagement.googleapis.com
Activate Security Command Center Premium
You can activate Security Command Center Premium for an organization through the Google Cloud console.
In the Google Cloud console, go to the Security Command Center welcome page.
If you want to enable data residency, open a jurisdictional console using the URL that matches the location you plan to configure.
You must use the jurisdictional Google Cloud console to activate Security Command Center with data residency controls and modify the data residency configuration after activation. For details, see About the jurisdictional Google Cloud console.
Select the organization that you want to enable Security Command Center Premium for, and then click Select.
On the welcome page, select Start a Premium free trial.
To cancel your Premium trial and avoid pay-as-you-go charges, you must downgrade to the Standard tier before the trial period ends. You can downgrade at any time during the trial. For detailed instructions, see Downgrade from the Premium tier to the Standard tier.
If you want to purchase a Premium subscription, see Premium tier: Subscription-based pricing for details.
Optional: To confirm the data residency configuration or change the data encryption configuration, click Show more.
- If you are using a jurisdictional console, the Data residency field displays Enable and the Location field displays the same location as the jurisdictional console. To change the location, open the console using a URL that matches the location you want to configure.
- The default data encryption configuration uses Google-owned and Google-managed encryption keys.
To use a Cloud Key Management Service key, click Edit data encryption, and then do the following:
- Select Cloud KMS key.
- Select a project.
- Select a key. You can select a key from any Google Cloud project, including projects in other organizations. Only keys in compatible locations are displayed in the list.
To learn which key locations are compatible with Security Command Center, see Determine the key location.
If your organization uses CMEK organization policies, you might only have the option to choose CMEK or specific keys.
During the activation process, Security Command Center grants the Cloud KMS CryptoKey Encrypter/Decrypter (
roles/cloudkms.cryptoKeyEncrypterDecrypter) role to the Cloud Security Command Center Service Agent on the Cloud KMS key.
Click Activate.
As results become available, they are displayed in the console. Then you can use the Google Cloud console to review and remediate Google Cloud security and data risks.
Security Command Center completes its first full scan within 24 hours. There might be a delay before scans are started for some services. For more information, see When to expect findings in Security Command Center.
Services for Security Command Center Premium
After you activate Security Command Center Premium, specific services are automatically enabled, and service agents are created so that these services can act on your behalf.
Services
Security Command Center uses detection services to detect security issues in your cloud environments. The following services are enabled when you activate Security Command Center Premium:
-
For Container Threat Detection to function, make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE) and that your GKE clusters are configured correctly. For more information, see Use Container Threat Detection.
-
Event Threat Detection relies on logs generated by Google Cloud. To use Event Threat Detection, enable logs for your organization, folders, and projects.
Refer to each service's documentation for usage and optimization instructions. As an example, Event Threat Detection relies on logs generated by Google Cloud. Some logs are always on, so Event Threat Detection can start scanning these logs as soon as it is enabled. Other logs, such as most data access audit logs, must be activated before Event Threat Detection can scan them.
The services outlined in this section, and additional services, can be enabled or disabled by following the steps in Configure Security Command Center services.
Service agents
A service agent is a service account created and managed by Google Cloud to access resources on your behalf. After a service agent is created, Security Command Center automatically grants required IAM roles to the service agent. Security Command Center Premium activation includes the following service agents:
- Cloud Security Command Center Service Agent for Event Threat Detection, Security Health Analytics, Virtual Machine Threat Detection, and Vulnerability Assessment
- Cloud Security Compliance Service Agent for AI Protection and Compliance Manager
- Container Threat Detection Service Agent for Container Threat Detection
- Data Security Posture Management Service Agent for DSPM
Modify your Security Command Center service
For more information about tier management, see Modify Security Command Center Premium tier for an organization.
What's next
- Learn how to configure Security Command Center services.
- Learn how to use Security Command Center in the Google Cloud console.
- Learn how to work with Security Command Center findings.
- Learn about Google Cloud security sources.
- Find out how Model Armor can help protect your AI workloads.
- Enable Sensitive Data Protection to help protect your sensitive data.
- Learn how to monitor your costs using Cloud Billing.