Allow Event Threat Detection to access VPC Service Controls perimeters
Stay organized with collectionsSave and categorize content based on your preferences.
This document describes how to add ingress rules to allow
Event Threat Detection to monitor logging streams in Security Command Center within
VPC Service Controls perimeters. Perform this task
if your organization uses VPC Service Controls to restrict services in projects that
you want Event Threat Detection to monitor. For more information about
Event Threat Detection, seeEvent Threat Detection overview.
Before you begin
Make sure that you have the following role or roles on the organization:
Cloud Asset Service Agent
(roles/cloudasset.serviceAgent).
In thePrincipalcolumn, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check theRolecolumn to see whether
the list of roles includes the required roles.
In theNew principalsfield, enter your user identifier.
This is typically the email address for a Google Account.
In theSelect a rolelist, select a role.
To grant additional roles, clickaddAdd
another roleand add each additional role.
ClickSave.
Create the ingress rules
To allow Event Threat Detection to monitor logging streams in Security Command Center within
VPC Service Controls perimeters, add the required ingress rules in those
perimeters. Perform these steps for each perimeter that you want Event Threat Detection
to monitor.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes how to add ingress rules to allow\nEvent Threat Detection to monitor logging streams in Security Command Center within\nVPC Service Controls perimeters. Perform this task\nif your organization uses VPC Service Controls to restrict services in projects that\nyou want Event Threat Detection to monitor. For more information about\nEvent Threat Detection, see\n[Event Threat Detection overview](/security-command-center/docs/concepts-event-threat-detection-overview).\n\nBefore you begin\n\n\nMake sure that you have the following role or roles on the organization:\n\nCloud Asset Service Agent\n(`roles/cloudasset.serviceAgent`).\n\nCheck for the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n2. Select the organization.\n3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\nGrant the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n2. Select the organization.\n3. Click person_add **Grant access**.\n4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n5. In the **Select a role** list, select a role.\n6. To grant additional roles, click add **Add\n another role** and add each additional role.\n7. Click **Save**.\n\nCreate the ingress rules\n\nTo allow Event Threat Detection to monitor logging streams in Security Command Center within\nVPC Service Controls perimeters, add the required ingress rules in those\nperimeters. Perform these steps for each perimeter that you want Event Threat Detection\nto monitor.\n\nFor more information, see\n[Updating ingress and egress policies for a service perimeter](/vpc-service-controls/docs/configuring-ingress-egress-policies#console)\nin the VPC Service Controls documentation.\n\n\nConsole\n\n1. In the Google Cloud console go to the **VPC Service Controls** page.\n\n\n [Go to VPC Service Controls](https://console.cloud.google.com/security/service-perimeter)\n2. Select your organization or project.\n3. If you selected an organization, click **Select an access policy** and then select the access policy associated with the perimeter that you want to update.\n4. Click the name of the perimeter that you want to update.\n\n\n To find the service perimeter you need to modify, you can check your logs for entries\n that show `RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER` violations. In those\n entries, check the `servicePerimeterName` field: \n\n ```\n accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME\n ```\n5. Click edit **Edit perimeter**.\n6. Click **Ingress policy**.\n7. Click **Add an ingress rule**.\n8. In the **FROM** section, set the following details:\n\n 1. For **Identity** , select **Select identities \\& groups**.\n 2. Click **Add identities**\n 3.\n Enter the email address of the\n\n [Security Center service agent](/security-command-center/docs/access-control-org#service-agent).\n\n\n The service agent's address has the\n following format:\n\n ```\n service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization ID.\n 4. Select the service agent or press \u003ckbd\u003eENTER\u003c/kbd\u003e, and then click **Add identities**.\n 5. For **Sources** , select **All sources**\n9. In the **TO** section, set the following details:\n\n 1. For **Project** , select **All projects**.\n 2. For **Operations or IAM roles** , select **Select operations**.\n 3. Click **Add operations**, and then add the following operations:\n\n - Add the **cloudasset.googleapis.com** service.\n 1. Click **All methods**.\n 2. Click **Add all methods**.\n10. Click **Save**.\n\ngcloud\n\n1.\n If a quota project isn't already set, then set it. Choose a project that has the\n Access Context Manager API enabled.\n\n ```bash\n gcloud config set billing/quota_project QUOTA_PROJECT_ID\n ```\n\n\n Replace \u003cvar translate=\"no\"\u003eQUOTA_PROJECT_ID\u003c/var\u003e with the ID of the project that you\n want to use for billing and quota.\n2. Create a file named `ingress-rule.yaml` with the following contents:\n\n ```yaml\n - ingressFrom:\n identities:\n - serviceAccount:service-org-\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e@security-center-api.iam.gserviceaccount.com\n sources:\n - accessLevel: '*'\n ingressTo:\n operations:\n - serviceName: cloudasset.googleapis.com\n methodSelectors:\n - method: '*'\n resources:\n - '*'\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization ID.\n3. Add the ingress rule to the perimeter:\n\n ```bash\n gcloud access-context-manager perimeters update PERIMETER_NAME \\\n --set-ingress-policies=ingress-rule.yaml\n ```\n\n Replace the following:\n -\n \u003cvar translate=\"no\"\u003ePERIMETER_NAME\u003c/var\u003e: the name of the perimeter. For example,\n `accessPolicies/1234567890/servicePerimeters/example_perimeter`.\n\n\n To find the service perimeter you need to modify, you can check your logs for\n entries that show `RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER` violations.\n In those entries, check the `servicePerimeterName` field: \n\n ```\n accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME\n ```\n\n\nSee\n[Ingress and egress rules](/vpc-service-controls/docs/ingress-egress-rules) for\nmore information.\n\nWhat's next\n\n- Learn how to use [Event Threat Detection](/security-command-center/docs/concepts-event-threat-detection-overview)."]]
