Console
    Contact Us Start free

    Security Command Center regional endpoints

    This document explains how to work with Security Command Center resources when data residency is enabled. You can only enable data residency for Security Command Center when you activate the Security Command Center Standard or Premium service tier for an organization , or when you activate the Security Command Center Enterprise service tier .

    Resources with data residency controls

    The following Security Command Center resource types are subject to data residency controls :

    To work with these resources programmatically or on the command line, you must use the regional endpoints for the Security Command Center API. To work with these resources in the Google Cloud console, you must use the jurisdictional Google Cloud console .

    For all other resource types, use the default API endpoints and the Google Cloud console .

    About regional endpoints

    Regional endpoints provide access to resources in a specific location. When you use a regional endpoint, your request is routed directly to the endpoint's location. You can't use a regional endpoint to access resources in other locations.

    Using a regional endpoint helps you enforce data residency controls for your resources when they're at rest, in use, and in transit.

    Security Command Center includes multiple services. For resource types that are subject to data residency controls , the following services require you to use regional endpoints:

    Model Armor API
    modelarmor. LOCATION .rep.googleapis.com
    Security Command Center API
    securitycenter. LOCATION .rep.googleapis.com
    Google SecOps
    See the Google SecOps reference documentation .

    Replace LOCATION with a supported location for the service.

    For all other resource types, you must use the default endpoint.

    About the jurisdictional Google Cloud console

    The jurisdictional Google Cloud console lets you enable data residency when you activate Security Command Center . It also provides access to resources in a specific location.

    Using the jurisdictional Google Cloud console helps you enforce data residency controls for your resources when they're at rest, in use, and in transit.

    You can use the jurisdictional Google Cloud console to access only resource types that are subject to data residency controls . To open the console, use the appropriate URL for your location:

    European Union
    Federated identity users : console.eu.cloud.google
    All other users: console.eu.cloud.google.com
    Kingdom of Saudi Arabia (KSA)
    Federated identity users: console.sa.cloud.google
    All other users: console.sa.cloud.google.com
    United States
    Federated identity users: console.us.cloud.google
    All other users: console.us.cloud.google.com

    For all other resource types, you must use the standard Google Cloud console.

    Locations for regional endpoints

    This section lists the locations where regional endpoints are available for the Security Command Center API and related services.

    Locations for the Security Command Center API

    The Security Command Center API provides regional and multi-region endpoints in the following locations:

    European Union
    eu
    Kingdom of Saudi Arabia (KSA)
    me-central2
    United States
    us

    Locations for the Model Armor API

    The Model Armor API provides regional endpoints in the following locations:

    European Union
    europe-west4 : Netherlandsleaf icon Low CO 2
    United States
    us-central1 : Iowaleaf icon Low CO 2
    us-east1 : South Carolina
    us-east4 : Northern Virginia
    us-west1 : Oregonleaf icon Low CO 2
    Asia Pacific
    asia-southeast1 : Singapore (supports only data residency at rest )

    The Model Armor API provides multi-region endpoints in the following locations:

    European Union
    eu
    United States
    us

    Locations for AI Protection

    For the full benefit of AI Protection ( Preview ), the AI workloads need to be in these regions:

    European Union
    europe-west4 : Netherlandsleaf icon Low CO 2
    United States
    us-central1 : Iowaleaf icon Low CO 2
    us-east4 : Northern Virginia
    us-west1 : Oregonleaf icon Low CO 2

    AI Protection provides multi-region endpoints in the following locations:

    European Union
    eu
    United States
    us

    The available features vary by region. To find out which features are or aren't available in your region, refer to the following table.

    Region
    Notebook Security Scanner
    Model Armor
    Features not available
    us-east7
    Yes
    No
    • The Vertex AI model isn't protected by Model Armor.
    • Findings aren't available.
    • Two Model Armor widgets don't have any data available.
    europe-west1
    europe-west2
    asia-southeast1
    No
    Yes
    Package vulnerability findings aren't available.
    Other regions
    No
    No
    • The Vertex AI model isn't protected by Model Armor.
    • Findings aren't available.
    • Two Model Armor widgets don't have any data available.
    • Package vulnerability findings aren't available.

    Locations for Google SecOps

    See the Google SecOps locations page .

    Tools for regional endpoints

    To manage resource types that are subject to data residency controls , you must specify a regional endpoint when you create a client or run a command.

    For all other resource types, you must use the default endpoint.

    gcloud

    The following gcloud CLI command groups require you to use a regional endpoint:

    For all other gcloud scc command groups, you must use the default endpoint for the Security Command Center API.

    Change the service endpoint

    To switch to a regional endpoint, run the following command:

    gcloud  
config  
 set 
  
api_endpoint_overrides/ SERVICE 
  
 \ 
  
https:// SERVICE 
. LOCATION 
.rep.googleapis.com/

    To switch to the default endpoint, run the following command:

    gcloud  
config  
 unset 
  
api_endpoint_overrides/ SERVICE

    Replace the following:

    • SERVICE : the service to configure; use modelarmor for the Model Armor API or securitycenter for the Security Command Center API
    • LOCATION : a supported location for the service

    Optionally, you can create a named configuration for the gcloud CLI that uses the regional endpoint. Before you run a gcloud CLI command, you can switch to the named configuration by running the gcloud config configurations activate command.

    Run a gcloud CLI command

    When you run a gcloud CLI command for the Security Command Center API, you must always specify the location. There are a few ways to do this:

    • Use the --location flag.
    • If you provide the full path of the resource name, use a format that specifies a location, like projects/123/sources/456/locations/ LOCATION /findings/a1b2c3 .

    The following example shows how to use the --location flag.

    The gcloud scc findings list command lists an organization's findings in a specific location.

    Before using any of the command data below, make the following replacements:

    • ORGANIZATION_ID : the numeric ID of the organization
    • LOCATION : a supported location for the Security Command Center API

    Execute the gcloud scc findings list command:

    Linux, macOS, or Cloud Shell

    gcloud  
scc  
findings  
list  
 ORGANIZATION_ID 
  
--location = 
 LOCATION

    Windows (PowerShell)

    gcloud  
scc  
findings  
list  
 ORGANIZATION_ID 
  
--location = 
 LOCATION

    Windows (cmd.exe)

    gcloud  
scc  
findings  
list  
 ORGANIZATION_ID 
  
--location = 
 LOCATION

    The response contains a list of findings.

    Terraform

    To learn how to apply or remove a Terraform configuration, see Basic Terraform commands . For more information, see the Terraform provider reference documentation .

      provider 
  
 "google" 
  
 { 
  
 alias 
  
 = 
  
 "securitycenter_v2_endpoint_us" 
  
 security_center_v2_custom_endpoint 
  
 = 
  
 "https://securitycenter.us.rep.googleapis.com/v2/" 
 }

    Go

    Use one of the following regional endpoints:

    Model Armor API
    modelarmor. LOCATION .rep.googleapis.com:443
    Security Command Center API
    securitycenter. LOCATION .rep.googleapis.com:443

    Replace LOCATION with a supported location for the service.

    The following code sample shows how to create a Security Command Center API client that uses a regional endpoint.

      import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 securitycenter 
  
 "cloud.google.com/go/securitycenter/apiv2" 
  
 "google.golang.org/api/option" 
 ) 
 // createClientWithEndpoint creates a Security Command Center client for a 
 // regional endpoint. 
 func 
  
 createClientWithEndpoint 
 ( 
 repLocation 
  
 string 
 ) 
  
 error 
  
 { 
  
 // Assemble the regional endpoint URL using provided location. 
  
 repEndpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "securitycenter.%s.rep.googleapis.com:443" 
 , 
  
 repLocation 
 ) 
  
 // Instantiate client for regional endpoint. Use this client to access resources that 
  
 // are subject to data residency controls, and that are located in the region 
  
 // specified in repLocation. 
  
 repCtx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 repClient 
 , 
  
 err 
  
 := 
  
 securitycenter 
 . 
  NewClient 
 
 ( 
 repCtx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 repEndpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 err 
  
 } 
  
 defer 
  
 repClient 
 . 
  Close 
 
 () 
  
 return 
  
 nil 
 }

    Java

    Use one of the following regional endpoints:

    Model Armor API
    modelarmor. LOCATION .rep.googleapis.com:443
    Security Command Center API
    securitycenter. LOCATION .rep.googleapis.com:443

    Replace LOCATION with a supported location for the service.

    The following code sample shows how to create a Security Command Center API client that uses a regional endpoint.

      import 
  
 com.google.cloud.securitycenter.v2. SecurityCenterClient 
 
 ; 
 import 
  
 com.google.cloud.securitycenter.v2. SecurityCenterSettings 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 CreateClientWithEndpoint 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO: Replace the value with the endpoint for the region in which your 
  
 // Security Command Center data resides. 
  
 String 
  
 regionalEndpoint 
  
 = 
  
 "securitycenter.me-central2.rep.googleapis.com:443" 
 ; 
  
  SecurityCenterClient 
 
  
 client 
  
 = 
  
 createClientWithEndpoint 
 ( 
 regionalEndpoint 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Client initiated with endpoint: " 
  
 + 
  
 client 
 . 
  getSettings 
 
 (). 
 getEndpoint 
 ()); 
  
 } 
  
 // Creates Security Command Center client for a regional endpoint. 
  
 public 
  
 static 
  
  SecurityCenterClient 
 
  
 createClientWithEndpoint 
 ( 
 String 
  
 regionalEndpoint 
 ) 
  
 throws 
  
 java 
 . 
 io 
 . 
 IOException 
  
 { 
  
  SecurityCenterSettings 
 
  
 regionalSettings 
  
 = 
  
  SecurityCenterSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 regionalEndpoint 
 ). 
 build 
 (); 
  
 return 
  
  SecurityCenterClient 
 
 . 
 create 
 ( 
 regionalSettings 
 ); 
  
 } 
 }

    Python

    Use one of the following regional endpoints:

    Model Armor API
    modelarmor. LOCATION .rep.googleapis.com
    Security Command Center API
    securitycenter. LOCATION .rep.googleapis.com

    Replace LOCATION with a supported location for the service.

    The following code sample shows how to create a Security Command Center API client that uses a regional endpoint.

      from 
  
 google.cloud 
  
 import 
 securitycenter_v2 
 def 
  
 create_client_with_endpoint 
 ( 
 api_endpoint 
 ) 
 - 
> securitycenter_v2 
 . 
 SecurityCenterClient 
 : 
  
 """ 
 Creates a Security Command Center client for a regional endpoint. 
 Args: 
 api_endpoint: the regional endpoint's hostname, like 'securitycenter.REGION.rep.googleapis.com' 
 Returns: 
 securitycenter_v2.SecurityCenterClient: returns a client for the regional endpoint 
 """ 
 regional_client 
 = 
 securitycenter_v2 
 . 
 SecurityCenterClient 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 } 
 ) 
 print 
 ( 
 "Regional client initiated with endpoint: 
 {} 
 " 
 . 
 format 
 ( 
 regional_client 
 . 
 api_endpoint 
 ) 
 ) 
 return 
 regional_client

    REST

    To access the following REST API resource types, you must use a regional service endpoint:

    Model Armor API

    Endpoint: https://modelarmor. LOCATION .rep.googleapis.com

    Replace LOCATION with a supported location for the service.

    Resource types: All resource types

    Security Command Center API

    Endpoint: https://securitycenter. LOCATION .rep.googleapis.com

    Replace LOCATION with a supported location for the service.

    Resource types:

    Replace LOCATION with a supported location for the service.

    For all other resource types, you must use the default endpoint.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: