How to configure Security Command Center Premium at Organization Level
A Step-by-Step guide on setting up Security Command Center (SCC)
This document is meant to be a step-by-step guide on how to set up a basic configuration for Security Command Center (SCC) Premium. Following this guide you will be able to set up SCC with a fundamental basic configuration to protect your entire organization.
Step 1: Group Creation and IAM permissions
It is very important to segregate access to the SCC. Some users, like security administrators, will need administrative access to the SCC, other users, like security auditors, will need viewer access.
One of the best practices is to create different groups in Google Admin to administer users in these group. Avoid giving specific permissions to each user, and give the permissions to the groups instead.
This practice is called Role Based Access Control (RBAC) and it’s an effective and clear way to manage users. With each group representing a role in the company with it’s specific set of permissions.
In the Admin Console, create the following groups for the organization:
- scc-admins@exampledomain.google
- scc-viewers@exampledomain.google
Once you have created the groups, you will have to grant IAM roles to each group. We will grant the following roles:
Roles for the Security Viewer Group
Roles for the Security Admin Group
- Security Center Admin
- Organization Admin
- Security Center Settings Admin
- Security Admin
- roles/iam.serviceAccountCreator
The roles can be granted using Terraform, as shown in the following example:
# Module: Google Cloud Organization IAM Bindings (Example)
module "organization_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/organizations_iam"
version = "~> 5.0" # Ensure compatibility
# Placeholder for Organization ID
organizations = ["<YOUR_ORGANIZATION_ID>"] # Replace with your actual Organization ID
mode = "additive" # Don't remove existing bindings
bindings = {
# Security Center Admin Role
"roles/securitycenter.admin" = [
"group:<SECURITY_CENTER_ADMIN_GROUP_EMAIL>" # Placeholder for group email
],
# Organization Administrator Role
"roles/resourcemanager.organizationAdmin" = [
"group:<SECURITY_CENTER_ADMIN_GROUP_EMAIL>"
],
# Security Center Settings Admin Role
"roles/securitycenter.settingsAdmin" = [
"group:<SECURITY_CENTER_ADMIN_GROUP_EMAIL>"
],
# IAM Security Admin Role
"roles/iam.securityAdmin" = [
"group:<SECURITY_CENTER_ADMIN_GROUP_EMAIL>"
],
# Service Account Creator Role
"roles/iam.serviceAccountCreator" = [
"group:<SECURITY_CENTER_ADMIN_GROUP_EMAIL>"
],
# Security Center Viewer Roles
"roles/securitycenter.adminViewer" = [
"group:<SECURITY_VIEWER_GROUP_EMAIL>" # Placeholder for viewer group email
],
"roles/securitycenter.settingsViewer" = [
"group:<SECURITY_VIEWER_GROUP_EMAIL>"
],
# Security Center Service Agent (Example)
"roles/securitycenter.serviceAgent" = [
# Replace with your project number and organization ID
"serviceAccount:service-<PROJECT_NUMBER>@security-center-api.iam.gserviceaccount.com"
],
}
}Notice: We are granting the roles/securitycenter.serviceAgent role to a GCP service account, this is required by SCC in order to work properly.
Step 2: Activate SCC Premium Tier at Org Level
Fist of all make sure you are standing at the organization level by selecting your organization as the working resource. In this example we are working with the organization domain exampledomain.google so we select that.
Continue your setup by following the SCC org level activation documentation to activate the SCC premium tier.
This process requires just a few clicks and once completed you should have your SCC Premium activated.
Step 3: Enable the built-in services
This is a crucial step where we will select which services we want to use in SCC, the services offerings can change over time, since new services can be added, and some services might get removed.
We will focus on how to enable the services, which services you want to enable will depend on your organization’s specific needs. The most common services to enable are Security Health Analytics (SHA) and Event Threat Detection (ETD).
Enabling these services will give you the ability to detect different threats and vulnerabilities in your environment.
In order to enable the services, go to the Cloud Console Services Configuration page. You can reach the page following the “settings” button in the Risk overview page.
In the settings page, select the services you want to enable, and click on Manage Settings.
This will open the service enablement panel.
In the Service enablement panel click on the dropdown panel that says “Disabled” and select “Enabled”.
You can enable and disable these services whenever you want, so there’s no need to enable all of them at the same time.
Step 4: Enable the Integrated Services
Integrated services are Google Cloud or third-party services that provide more findings to Security Command Center.
You can go to the service configuration page and select the integrated services tab and activate all the integrated services that match your Organization requirements.
The following services are my personal preference to be turned on when using Integrated Services, since they can provide useful information about our Organization security posture:
- Cloud Anomaly Detection
- Cloud Armor
- IAM Recommender
Integrated services are quite similar to any other services, and you can install new services over time as your organization grows.
Step 5: Enable Required Logs
Detectors will only work as long as you enable the required logs for SCC that are required to make correlation of events. It’s very important to enable the required logs, otherwise, our configuration will not work.
Depending on what services you have activated, some logs will be required and some logs can be skipped. You must review the documentation of each service to understand which logs are required for each service.
In order to enable logs, you first must enable the Cloud Logging API, this can be done on the console, or using the google cloud CLI.
Some logs like Audit Logs will be automatically enabled, but some others require to be turned on manually. Some useful logs to enable would be:
But depending on what services you use in the Organization, the logs will vary widely. Make sure to research on which logs to enable for each service you activate to make sure the services can run smoothly.
In case you activated ETD, make sure to have the VPC Flow Logs activated, since these will be used to detect network level threats.
Event Threat Detection has an extensive list of logs that you need to turn on. Please refer to the Logs that you need to turn on documentation and activate all the logs you need.
What we have so far
So far we have managed to configure SCC to detect threats and vulnerabilities in our environment. This is the most basic configuration required to start using SCC in the organization.
Enabling logs and services enables the detection of threats and vulnerabilities and empowers you to remediate them.
By creating RBAC groups, you have the capability to designate users to review SCC findings and fix issues with restricted permissions to the SCC.
We also have set up an admin group, that is able to update and further customize the SCC configuration.
Customize the SCC configuration
After reading this guide you should be able to start your SCC journey with a solid foundation and now you can start fine tuning your SCC setup.
Some other settings and setups you can enable on SCC are:
- Enable real-time email and chat notifications
- Deploy Organization Policies with Security Posture
- Deploy Security Health Analytics (SHA) Custom Detectors
These advanced configurations are very useful for managing the organization health and security posture and we will review them in more detail in future articles.
