Console
    Contact Us Start free

    Enable public bucket remediation

    This document provides a step-by-step guide to enable the public bucket remediation for the posture findings playbooks in the Enterprise tier of Security Command Center.

    Overview

    Security Command Center supports additional remediation for the vulnerabilities in the following playbooks:

    • Posture Findings – Generic
    • Posture Findings With Jira
    • Posture Findings With ServiceNow

    These posture findings playbooks include a block that remediates the OPEN PORT , PUBLIC IP ADDRESS , and PUBLIC BUCKET ACL findings. For more information about these finding types, see Vulnerability findings .

    Playbooks are preconfigured to process the OPEN PORT and PUBLIC IP ADDRESS findings. Remediating the PUBLIC_BUCKET_ACL findings requires that you enable the public bucket remediation for playbooks.

    Enable public bucket remediation for playbooks

    After the Security Health Analytics (SHA) detector identifies the Cloud Storage buckets that are publicly accessible and generates the PUBLIC_BUCKET_ACL findings, Security Command Center Enterprise ingests the findings and attaches playbooks to them. To enable the public bucket remediation for posture findings playbooks, you need to create a custom IAM role, configure a specific permission for it, and grant the custom role that you've created to an existing principal.

    Before you begin

    A configured and running instance of the Cloud Storage integration is required to remediate the public bucket access. To validate the integration configuration, see Update the Enterprise use case .

    Create a custom IAM role

    To create a custom IAM role and configure a specific permission for it, complete the following steps:

    1. In the Google Cloud console, go to the IAM Rolespage.

      Go to IAM Roles

    2. Click Create roleto create a custom role with permissions required for the integration.

    3. For a new custom role, provide the Title, Description, and a unique ID.

    4. Set the Role Launch Stageto General Availability.

    5. Add the following permission to the created role:

       resourcemanager.organizations.setIamPolicy

    6. Click Create.

    Grant a custom role to an existing principal

    After you grant your new custom role to a selected principal, they can change permissions for any user in your organization.

    To grant the custom role to an existing principal, complete the following steps:

    1. In the Google Cloud console, go to the IAMpage.

      Go to IAM

    2. In the Filterfield, paste the Workload Identity Emailvalue that you use for the Cloud Storage integration and search for the existing principal.

    3. Click Edit principal. The Edit access to " PROJECT "dialog opens.

    4. Under Assign roles, click Add another role.

    5. Select the custom role that you've created and click Save.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: