Activate Security Command Center Standard tier for an organization

This document describes how to activate Security Command Center Standard for an organization using the Google Cloud console.

Standard tier activations at the organization level enable the enhanced Standard tier features.

To activate Security Command Center for a different service tier, see the following:

To activate Security Command Center for a project, see Activate Security Command Center for a project.

Before you begin

Before you activate Security Command Center Standard for an organization, you need to do the following:

  • Obtain specific Identity and Access Management (IAM) roles and permissions.
  • Optional: Enable the Security Center Management API.
  • Review your organization policies, if applicable to your organization.
  • If you plan to enable data residency, review Planning for data residency and determine which location to use.
  • If you plan to use a customer-managed encryption key (CMEK), complete the required tasks for enabling CMEK for Security Command Center.

    You can configure data residency and data encryption when you activate Security Command Center. To change these settings after you activate Security Command Center Standard or Premium, see Modify data residency or data encryption configuration.

Required roles

To get the permissions that you need to activate Security Command Center for an organization, ask your administrator to grant you the following IAM roles on your organization:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable the Security Center Management API

If you plan to use the Security Center Management API, enable this API in the project where you plan to call it:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Review organization policies

If your organization policies are set to restrict identities by domain, confirm the following:

  • You must be signed in to the Google Cloud console on an account that's in an allowed domain.
  • Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement lets you allow services that use the @*.gserviceaccount.com service account to access resources when domain restricted sharing is enabled.

If your organization policies are set to restrict resource usage, verify that the following APIs are allowed by your policy:

  • securitycenter.googleapis.com
  • securitycentermanagement.googleapis.com

Activate Security Command Center Standard

You can activate Security Command Center Standard for an organization through the Google Cloud console.

  1. In the Google Cloud console, go to the Security Command Center welcome page.

    Go to Security Command Center

  2. If you want to enable data residency, open a jurisdictional console using the URL that matches the location you plan to configure.

    You must use the jurisdictional Google Cloud console to activate Security Command Center with data residency controls and modify the data residency configuration after activation. For details, see About the jurisdictional Google Cloud console.

  3. Select the organization that you want to enable Security Command Center Standard for, and then click Get Standard.

  4. On the welcome page, click Select.

  5. Optional: To confirm the data residency configuration or change the data encryption configuration, click Show more.

    • If you are using a jurisdictional console, the Data residency field displays Enable and the Location field displays the same location as the jurisdictional console. To change the location, open the console using a URL that matches the location you want to configure.
    • The default data encryption configuration uses Google-owned and Google-managed encryption keys. To use a Cloud Key Management Service key, click Edit data encryption, and then do the following:
      1. Select Cloud KMS key.
      2. Select a project.
      3. Select a key. You can select a key from any Google Cloud project, including projects in other organizations. Only keys in compatible locations are displayed in the list.

      To learn which key locations are compatible with Security Command Center, see Determine the key location.

      If your organization uses CMEK organization policies, you might only have the option to choose CMEK or specific keys.

      During the activation process, Security Command Center grants the Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) role to the Cloud Security Command Center Service Agent on the Cloud KMS key.

  6. Click Activate.

As results become available, they are displayed in the console. Then you can use the Google Cloud console to review and remediate Google Cloud security and data risks.

Security Command Center completes its first full scan within 24 hours. There might be a delay before scans are started for some services. For more information, see When to expect findings in Security Command Center.

If you upgrade from Security Command Center Standard to Premium, you gain access to charts that show the scan progress for features such as issues, threats, and frameworks. Existing charts are also updated with scan results from Premium detectors as results become available.

Services for Security Command Center Standard

After you activate Security Command Center Standard, specific services are automatically enabled, and service agents are created so that these services can act on your behalf.

Security Command Center uses detection services to detect security issues. The following services are enabled when you activate Security Command Center Standard:

See each service's documentation for usage and optimization instructions.

You can enable additional services by following the steps in Configure Security Command Center services.

Modify your Security Command Center service tier

For more information about tier management, see Modify Security Command Center Standard tier for an organization.

What's next