This document describes how to configure your Google Cloud organization to use Cyber Insurance Hub for the first time. These steps are prerequisites for most tasks in Cyber Insurance Hub.
Required setup permissions
To get the permissions that you need to configure Cyber Insurance Hub, ask your administrator to grant you the following IAM roles on your organization:
-
Risk Manager Admin (
roles/riskmanager.admin) -
Organization Administrator (
roles/resourcemanager.organizationAdmin)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to configure Cyber Insurance Hub. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to configure Cyber Insurance Hub:
-
riskmanager.serviceAccount.create -
resourcemanager.organizations.getIamPolicy -
resourcemanager.organizations.setIamPolicy
You might also be able to get these permissions with custom roles or other predefined roles.
Grant the Risk Manager Service Agent access to your organization
When you begin to set up Cyber Insurance Hub in the Google Cloud console, a service agent is created. Upon creation, this service agent has no permissions and cannot perform any actions.
The Risk Manager Service Agent must be granted the
Risk Manager Service Agent role
(roles/riskmanager.serviceAgent) in order to read security findings and
build reports.
To grant the role to the service agent, follow these steps:
Go to the Cyber Insurance Hub setup page:
Select your organization.
Click Grant Roles.
Verify that Grant Roles is updated to Roles Granted.
Enroll in Cyber Insurance Hub
Enrolling in Cyber Insurance Hub enables any backend services needed for Cyber Insurance Hub to work.
For enrollment to succeed, the organization must have Security Command Center enabled, with the Security Health Analytics service enabled within Security Command Center. The Security Command Center and Security Health Analytics enablement process is detailed in the Cyber Insurance Hub onboarding page.
To enroll in Cyber Insurance Hub, follow these steps:
Go to the Cyber Insurance Hub setup page:
Select your organization.
Click Enroll.
Verify that Enroll is updated to Enrolled.
After you enroll in Cyber Insurance Hub, Cyber Insurance Hub enables regular scans of your organization's Google Cloud resources to generate the data contained in Cyber Insurance Hub reports. Initial scans can take up to 24 hours to complete.
Grant access to Cyber Insurance Hub
Before a user can create, review, share, or send a report, that user must have the appropriate IAM permissions. You can grant one or more predefined roles or create and grant custom roles. For more information, including a list of predefined roles for Cyber Insurance Hub, see Access control with IAM.
To grant a role, follow these steps:
Console
In the Google Cloud console, go to the IAM page.
Select the organization that you enrolled in Cyber Insurance Hub.
On the IAM page, find the username of the user to whom you want to grant a role and then click Edit principal.
On the Edit permissions pane that appears, add the necessary roles.
Click Add another role. Select a role to add, such as Risk Manager Report Reviewer.
To add more roles, repeat the previous step. Click Save.
gcloud
Run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=user:USERNAME --role=roles/ROLEReplace the following:
ORGANIZATION_ID: the numeric ID of your organization for which you enrolled Cyber Insurance Hub.USERNAME: the principal that you want to grant this role to. This must be a member of your organization; for example,test-user@example.com.ROLE: the name of the Cyber Insurance Hub role that you want to grant; for example,riskmanager.reportReviewer.
What's next?
- Learn how to create a report.
- Learn how to remediate findings.
- Learn how to automatically generate reports.