This topic describes how to configure your Google Cloud organization to use Cyber Insurance Hub for the first time. These steps are prerequisites for most tasks in Cyber Insurance Hub.
Beginning Cyber Insurance Hub setup
To generate reports, Cyber Insurance Hub requires a one-time setup to be completed. This process requires Identity and Access Management (IAM) permissions beyond the scope of Cyber Insurance Hub, which may only be held by an administrator in your organization.
To begin setup, follow these steps:
Console
Go to the Cyber Insurance Hub setup page.
If no organization is selected, follow these steps:
- Click Select an organization.
- Select your organization in the drop-down menu.
Click Begin Setup. If this button is inactive, obtain the required setup permissions, and then try again.
Required setup permissions
If the Begin Setup button is inactive, you are missing the required permissions. To proceed, you must request these permissions from your Google Cloud administrator.
The following roles contain the permissions you need to complete the steps in this guide:
Risk Manager AdminOrganization Administrator
You can see the required permissions by hovering over the inactive Begin Setup button, but they are also listed here:
| Required permission | Reference |
|---|---|
riskmanager.serviceAccount.create |
See Cyber Insurance Hub access control for IAM roles that include this permission. See Assign IAM roles for how to assign Cyber Insurance Hub roles. |
resourcemanager.organizations.getIamPolicy |
See Access control for organizations for IAM roles that include this permission. |
resourcemanager.organizations.setIamPolicy |
See Access control for organizations for IAM roles that include this permission. |
Grant the Cyber Insurance Hub service account access to your organization
When you begin to set up Cyber Insurance Hub in the Google Cloud console, a service account is created. Upon creation, this service account has no permissions and cannot perform any actions.
The Cyber Insurance Hub service account must be granted the
Cyber Insurance Hub service agent role
(roles/riskmanager.serviceAgent) in order to read security findings and
build reports. This role grant is often referred to as "provisioning" by
Cyber Insurance Hub in the Google Cloud Google Cloud console. For more information
about the service agent role, see
Cyber Insurance Hub access control.
To provision the Cyber Insurance Hub service account, follow these steps:
Console
Go to Cyber Insurance Hub setup page.
If no organization is selected, follow these steps:
- Click Select an organization.
- Select your organization in the drop-down menu.
Go to the Provision Service Account step. If this step has already been completed, it's automatically skipped. You can still view it by clicking Provision Service Account.
Click Grant Roles.
Verify that the Grant Roles button is updated to show Roles Granted.
Enroll in Cyber Insurance Hub
Enrolling in Cyber Insurance Hub enables any backend services needed for Cyber Insurance Hub to work.
For enrollment to succeed, the organization must have Security Command Center enabled, with the Security Health Analytics service enabled within Security Command Center. The Security Command Center and Security Health Analytics enablement process is detailed in the Cyber Insurance Hub onboarding page.
To enroll in Cyber Insurance Hub, follow these steps:
Console
Go to Cyber Insurance Hub setup page:
If no organization is selected:
- Click Select an organization.
- Select your organization in the drop-down menu.
Go to the Enroll in Cyber Insurance Hub step. If you are unable to go to this step, you must complete the Onboarding and Configuration steps first.
If this step has already been completed, it's automatically skipped. You can still view it by clicking Enroll in Cyber Insurance Hub.
Click Enroll.
Verify that the Enroll button is updated to show Enrolled.
Assign IAM roles
Before a user can create, review, share, or send a report, that user must have
the appropriate IAM permissions. You can grant one or more
predefined roles or create and grant custom roles. For example, a principal with
the Cyber Insurance Hub Report Reviewer role (roles/riskmanager.reportReviewer)
can access (but not modify) the reports, and approve reports to be sent;
however, they can't create reports.
For more information, including a list of predefined roles for Cyber Insurance Hub, see Access control with IAM.
To add a role, follow these steps:
Console
Go to the IAM page in the Google Cloud console.
Click the project selector drop-down list at the top of the page.
In the Select from dialog that appears, select the organization for which you want to enable Cyber Insurance Hub.
On the IAM page, next to your username, click Edit principal.
On the Edit permissions pane that appears, add the necessary roles.
Click Add another role. Select a role to add, such as Cyber Insurance Hub Report Reviewer.
To add more roles, repeat the previous step. Click Save.
gcloud
Run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=user:USERNAME --role=roles/ROLEReplace the following:
ORGANIZATION_ID: the numeric ID of your organization.USERNAME: the principal that you want to grant this role to. This must be a member of your organization; for example,test-user@example.com.ROLE: the name of the Cyber Insurance Hub role that you want to grant; for example,riskmanager.admin.
What's next?
- Learn how to create a report.
- Learn how to remediate findings.
- Learn how to automatically generate reports.