Activate Security Command Center Standard tier for an organization

This document describes how to activate Security Command Center Standard for an organization using the Google Cloud console.

Standard tier activations at the organization level enable the enhanced Standard tier features.

• For information about enhanced features in the Standard tier, see Security Command Center service tiers.

• For information about differences between the Standard and Standard-legacy tiers, see Standard tier enhanced and automatically activated for some customers.

To activate Security Command Center for a different service tier, see the following:

• Activate the Security Command Center Premium tier for an organization
• Activate the Security Command Center Enterprise tier

To activate Security Command Center for a project, see Activate Security Command Center for a project.

Before you begin

Before you activate Security Command Center Standard for an organization, you need to do the following:

• Obtain specific Identity and Access Management (IAM) roles and permissions.
• Optional: Enable the Security Center Management API.
• Review your organization policies, if applicable to your organization.
• If you plan to enable data residency, review Planning for data residency and determine which location to use.
• If you plan to use a customer-managed encryption key (CMEK), complete the required tasks for enabling CMEK for Security Command Center.

Required roles

To get the permissions that you need to activate Security Command Center for an organization, ask your administrator to grant you the following IAM roles on your organization:

• Security Center Admin (roles/securitycenter.admin)
• Organization Administrator (roles/resourcemanager.organizationAdmin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable the Security Center Management API

If you plan to use the Security Center Management API, enable this API in the project where you plan to call it:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Review organization policies

If your organization policies are set to restrict identities by domain, confirm the following:

• You must be signed in to the Google Cloud console on an account that's in an allowed domain.
• Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement lets you allow services that use the @*.gserviceaccount.com service account to access resources when domain restricted sharing is enabled.

If your organization policies are set to restrict resource usage, verify that the following APIs are allowed by your policy:

• securitycenter.googleapis.com
• securitycentermanagement.googleapis.com

Activate Security Command Center Standard

You can activate Security Command Center Standard for an organization through the Google Cloud console.

1. In the Google Cloud console, go to the Security Command Center welcome page.

   Go to Security Command Center

2. Select the organization that you want to enable Security Command Center Standard for, and then click Get Standard.

3. On the welcome page, click Select.

4. Optional: To enable data residency and data encryption, click Show more.

   For more information about data residency, see Planning for data residency.

   For more information about data encryption, see Enable CMEK for Security Command Center. If your organization uses CMEK organization policies, you might only have the option to choose CMEK or specific keys. If you don't use CMEK with Security Command Center, then Google encrypts data at rest using Google-owned and Google-managed encryption keys.

5. Click Activate.

As results become available, they are displayed in the console. Then you can use the Google Cloud console to review and remediate Google Cloud security and data risks.

Security Command Center completes its first full scan within 24 hours. There might be a delay before scans are started for some services. For more information, see When to expect findings in Security Command Center.

If you upgrade from Security Command Center Standard to Premium, you gain access to charts that show the scan progress for features such as issues, threats, and frameworks. Existing charts are also updated with scan results from Premium detectors as results become available.

Services for Security Command Center Standard

After you activate Security Command Center Standard, specific services are automatically enabled, and service agents are created so that these services can act on your behalf.

Security Command Center uses detection services to detect security issues. The following services are enabled when you activate Security Command Center Standard:

• Compliance Manager

• Data Security Posture Management (DSPM)

• Sensitive Actions Service

See each service's documentation for usage and optimization instructions.

You can enable additional services by following the steps in Configure Security Command Center services.

Modify your Security Command Center service tier

For more information about tier management, see Modify Security Command Center Standard tier for an organization.

What's next

• Learn how to configure Security Command Center services.
• Learn how to use Security Command Center in the Google Cloud console.
• Learn how to work with Security Command Center findings.
• Learn about Google Cloud security sources.
• Find out how Model Armor can help protect your AI workloads.