Console
    Start free

    Activate Security Command Center for a project

    This page explains how to activate the Security Command Center Standard tier or Premium tier for a Google Cloud project.

    To activate Security Command Center for an entire organization, see one of the following:

    Before you begin

    To activate Security Command Center on a project, you need the following prerequisites, which are explained in the following subsections:

    • Read the prerequisite information to understand how a project-level activation of Security Command Center differs from an organization-level activation.
    • You need to have a Google Cloud project that is associated with an organization.
    • Your user account needs to be granted Identity and Access Management (IAM) roles that contain the required permissions.
    • Enable required APIs , depending on how you were onboarded to the Security Command Center Standard tier.
    • If your project inherits organization policies that are set to restrict identities by domain, your user and service accounts must be in an allowed domain.
    • If you will use Container Threat Detection, your Google Kubernetes Engine clusters must support Container Threat Detection. For more information, see Confirm software versions for Container Threat Detection .

    Prerequisite information

    To understand how a project-level activation of Security Command Center differs from an organization-level activation, see Overview of project-level enablement of Security Command Center .

    To learn about the services and Security Command Center findings that are not supported with project-level activations, see Project-level activation service limitations .

    Project requirements

    To activate Security Command Center for a project, the project must be associated with an organization. If you need to create a project, see Creating and managing projects .

    Required roles

    To get the permissions that you need to activate Security Command Center for a project, ask your administrator to grant you the following IAM roles on your project:

    For more information about granting roles, see Manage access to projects, folders, and organizations .

    You might also be able to get the required permissions through custom roles or other predefined roles .

    Enable required APIs

    If your organization was automatically onboarded to Security Command Center as part of Google Cloud services, or if you plan to use the Security Command Center API, you must enable the API for your project.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

    Enable the API

    Verify organization policies

    If your project inherits organization policies that are set to restrict identities by domain , you need to meet the following requirements:

    • You must be signed in to the Google Cloud console on an account that's in an allowed domain.
    • Your service accounts must be in an allowed domain or be members of a group within your domain. This requirement lets you allow @*.gserviceaccount.com services access to resources when domain restricted sharing is enabled.

    Confirm software versions for Container Threat Detection

    If you plan to use Container Threat Detection with Google Kubernetes Engine (GKE), make sure that your clusters are on a supported version of GKE and that the clusters are properly configured. For more information, see Using Container Threat Detection .

    Activation scenarios for a project

    This page covers the following activation scenarios:

    • In an organization that has never activated Security Command Center, activate either the Premium or Standard tier of Security Command Center for a project.
    • In an organization that uses the Standard tier, activate the Security Command Center Premium tier for a project.
    • In an organization that uses an expiring Premium tier subscription, activate the Premium tier of Security Command Center for a project.

    Depending on whether your organization is using Security Command Center, you activate Security Command Center for a project by using different methods.

    If your organization is not using Security Command Center, the Google Cloud console guides you through a series of setup pages.

    If your organization is using Security Command Center, you activate Security Command Center Premium for a project by using the Tier Detailstab of the Settingspage.

    Determine if Security Command Center is already active in your organization

    How you activate Security Command Center for a project is different depending on whether Security Command Center is already active in your organization.

    To check if Security Command Center is already active in your organization, complete the following steps:

    1. In the Google Cloud console, go to the Security Command Center Overviewpage.

      Go to Security Command Center

    2. Select the name of the project for which you need to activate Security Command Center.

      After you select the project, one of the following pages opens:

      • If Security Command Center is active in your organization, the Risk overviewpage opens.
      • If Security Command Center has not been activated in the organization, the welcome page opens, where you can start the activation process for your project from.

    3. If Security Command Center is already active in your organization, check the service tier that's active.

      1. Open the Security Command Center Settingspage:

        Go to Settings

      2. On the Settingspage, click Tier Details. The Tierpage opens.

      3. On the Tierrow, the service tier that the project is inheriting is listed.

    4. To activate Security Command Center for a project, follow the procedure for the activation state of Security Command Center in the parent organization:

    Activate for a project when Security Command Center is active in the organization

    If Security Command Center is already active in an organization, the only service tier you would need to activate at the project level is the Premium tier, because, at a minimum, the project will inherit the use of the Standard tier.

    To review the features that are included with each tier, see Service tiers .

    To upgrade your project to the Premium tier, follow these steps:

    1. In the Google Cloud console, go to the Tier detailspage.

      Go to Tier details

    2. Select the project that you want to upgrade the Security Command Center tier for, and then click Select.

    3. Click Manage project tier.

    4. In the Manage tierpane, click Selectfor the Premium tier. Then, click Update.

    You have completed the activation of Security Command Center Premium for your project. Next, wait for the initial scans to complete .

    Activate for a project when Security Command Center is not active in the organization

    If Security Command Center isn't active in your organization, the welcome page with tier details is displayed when you open Security Command Center in the Google Cloud console. You start the activation process by selecting a tier.

    Security Command Center has three tiers: Standard, Premium, and Enterprise. The tier that you select determines the features that are available to you and the cost of using Security Command Center. You can only activate Enterprise tier at the organization level. For more information, see Activate the Security Command Center Enterprise tier .

    To review the features that are included with each tier, see Service tiers .

    To activate Security Command Center for a project, select the service tier that you want to activate, Standard or Premium, and follow these steps:

    Standard

    1. In the Google Cloud console, go to the Security Command Center Overviewpage.

      Go to Security Command Center

    2. Select the project that you want to enable Security Command Center Standard for, and then click Select.

    3. On the welcome page, click Get Standard.

    4. Click Activate.

    Premium

    1. In the Google Cloud console, go to the Security Command Center Overviewpage.

      Go to Security Command Center

    2. Select the project that you want to enable Security Command Center Premium for, and then click Select.

    3. On the welcome page, select Start a Premium free trial.

    4. Click Activate.

    Results are displayed in the Google Cloud console as they become available. After they're displayed, you can review and remediate Google Cloud security and data risks.

    Security Command Center completes its first full scan within 24 hours. Some services might not start scanning right away. For more information, see When to expect findings in Security Command Center .

    Services for Security Command Center

    Security Command Center uses detection services to detect security issues in your cloud environments. After you activate Security Command Center, specific services are automatically enabled, and service agents are created so that these services can act on your behalf.

    Follow the steps in Configure Security Command Center services to enable or disable various services.

    The services that are automatically enabled are determined by your service tier. Select your service tier to see what's automatically enabled.

    Standard

    Activating Security Command Center Standard automatically enables Security Health Analytics and grants its service agent the roles and permissions required for the service to function.

    Premium

    The following services are enabled when you activate Security Command Center Premium:

    Service agents

    A service agent is a service account created and managed by Google Cloud to access resources on your behalf. After a service agent is created, Security Command Center automatically grants required IAM roles to the service agent. Security Command Center Premium activation includes the following service agents:

    For usage and optimization instructions, refer to the documentation for each service. As an example, Event Threat Detection relies on logs generated by Google Cloud. Some logs are always on, so Event Threat Detection can start scanning these logs as soon as it is enabled. Other logs, such as most data access audit logs, must be activated before Event Threat Detection can scan them.

    What's next

    Learn more about Security Command Center and its built-in services.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: