本页面介绍如何使用 Identity and Access Management (IAM) 控制 Security Command Center 项目级层激活中资源的访问权限。仅在您的组织未激活 Security Command Center 时,才应参阅本页面。
如果满足以下任一条件,请参阅 IAM 用于组织级层激活,而不是本页面:
- Security Command Center 在组织级层而不是项目级层激活。
- Security Command Center 标准级层已在组织级层激活。此外,您已在一个或多个项目中激活 Security Command Center 高级级层。
您可以通过 Security Command Center 的 IAM 角色来控制谁可以对 Security Command Center 环境中的资产、发现结果和安全来源执行哪些操作。您可以向个人和应用授予角色,每个角色提供特定权限。
权限
如需设置 Security Command Center 或更改项目的配置,您需要同时具有以下两个角色:
- Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) - Security Center Admin (
roles/securitycenter.admin
)
如果用户不需要修改权限,请考虑授予其查看者角色。如需在 Security Command Center 中查看所有资源和发现结果,用户需要 Security Center Admin Viewer (roles/securitycenter.adminViewer
) 角色。还需要查看设置的用户需要 Security Center Settings Viewer (roles/securitycenter.settingsViewer
) 角色。
虽然您可以在资源层次结构的任何级层设置这些角色,但我们建议您在项目级层设置这些角色。这种做法符合最小权限原则。
如需了解如何管理角色和权限,请参阅管理对项目、文件夹和组织的访问权限。
拥有对 Security Command Center 项目级层激活的继承访问权限
项目会继承在包含该项目的文件夹和组织级层设置的任何角色绑定。例如,如果主账号在组织级层具有 Security Center Findings Editor 角色 (roles/securitycenter.findingsEditor
),则该主账号在项目级层具有相同的角色。该主账号可以在该组织中 Security Command Center 处于活动状态的任何项目中查看和修改发现结果。
下图展示了在组织级层授予角色的 Security Command Center 资源层次结构。
如需查看有权访问您的项目的主账号列表,包括具有继承的权限的主账号,请参阅查看当前访问权限。
Security Command Center 中的 IAM 角色
下面列出了 Security Command Center 可用的 IAM 角色及其包含的权限。Security Command Center 支持在组织、文件夹或项目级层授予这些角色。
Role | Permissions |
---|---|
Security Center Admin( Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Editor( Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Viewer( Admin Read access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Asset Security Marks Writer( Write access to asset security marks Lowest-level resources where you can grant this role:
|
|
Security Center Assets Discovery Runner( Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Assets Viewer( Read access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Attack Paths Reader( Read access to security center attack paths |
|
Security Center BigQuery Exports Editor( Read-Write access to security center BigQuery Exports |
|
Security Center BigQuery Exports Viewer( Read access to security center BigQuery Exports |
|
Security Center Compliance Reports Viewer Beta( Read access to security center compliance reports |
|
Security Center Compliance Snapshots Viewer Beta( Read access to security center compliance snapshots |
|
Security Center External Systems Editor( Write access to security center external systems |
|
Security Center Finding Security Marks Writer( Write access to finding security marks Lowest-level resources where you can grant this role:
|
|
Security Center Findings Bulk Mute Editor( Ability to mute findings in bulk |
|
Security Center Findings Editor( Read-write access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Mute Setter( Set mute access to findings |
|
Security Center Findings State Setter( Set state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Viewer( Read access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Workflow State Setter Beta( Set workflow state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Mute Configurations Editor( Read-Write access to security center mute configurations |
|
Security Center Mute Configurations Viewer( Read access to security center mute configurations |
|
Security Center Notification Configurations Editor( Write access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Configurations Viewer( Read access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Resource Value Configurations Editor( Read-Write access to security center resource value configurations |
|
Security Center Resource Value Configurations Viewer( Read access to security center resource value configurations |
|
Security Health Analytics Custom Modules Tester( Test access to Security Health Analytics Custom Modules |
|
Security Center Settings Admin( Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Editor( Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Viewer( Read access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Simulations Reader( Read access to security center simulations |
|
Security Center Sources Admin( Admin access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Editor( Read-write access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Viewer( Read access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Valued Resources Reader( Read access to security center valued resources |
|
Security Center Management Admin( Full access to manage Cloud Security Command Center services and custom modules configuration. |
|
Security Center Management Custom Modules Editor( Full access to manage Cloud Security Command Center custom modules. |
|
Security Center Management Custom Modules Viewer( Readonly access to Cloud Security Command Center custom modules. |
|
Security Center Management Custom ETD Modules Editor( Full access to manage Cloud Security Command Center ETD custom modules. |
|
Security Center Management ETD Custom Modules Viewer( Readonly access to Cloud Security Command Center ETD custom modules. |
|
Security Center Management Services Editor( Full access to manage Cloud Security Command Center services configuration. |
|
Security Center Management Services Viewer( Readonly access to Cloud Security Command Center services configuration. |
|
Security Center Management Settings Editor( Full access to manage Cloud Security Command Center settings |
|
Security Center Management Settings Viewer( Readonly access to Cloud Security Command Center settings |
|
Security Center Management SHA Custom Modules Editor( Full access to manage Cloud Security Command Center SHA custom modules. |
|
Security Center Management SHA Custom Modules Viewer( Readonly access to Cloud Security Command Center SHA custom modules. |
|
Security Center Management Viewer( Readonly access to Cloud Security Command Center services and custom modules configuration. |
|
服务代理角色
服务代理可让服务访问您的资源。
您激活 Security Command Center 后,系统会为您创建两个服务代理(一种服务账号):
service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com
。此服务代理需要
securitycenter.serviceAgent
IAM 角色。service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
。此服务代理需要
roles/containerthreatdetection.serviceAgent
IAM 角色。
为了使 Security Command Center 正常运行,必须向服务代理授予所需的 IAM 角色。在 Security Command Center 的激活过程中,系统会提示您授予这些角色。
如需查看每个角色的权限,请参阅以下内容:
如需授予这些角色,您必须具有 roles/resourcemanager.projectIamAdmin
角色。
如果您没有 roles/resourcemanager.organizationAdmin
角色,您的组织管理员可以使用以下 gcloud CLI 命令为您向服务代理授予这些角色:
gcloud organizations add-iam-policy-binding PROJECT_ID \ --member="SERVICE_ACCOUNT_NAME" \ --role="IAM_ROLE"
替换以下内容:
PROJECT_ID
:您的项目 IDSERVICE_AGENT_NAME
:以下任一服务代理名称:service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com
service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
:与指定的服务代理对应的以下必需角色:roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
如需查找项目 ID 和项目编号,请参阅识别项目。
如需详细了解 IAM 角色,请参阅 了解角色。
Web Security Scanner
IAM 角色介绍了如何使用 Web Security Scanner。下表列出了 Web Security Scanner 可用的每个 IAM 角色及其可用方法。在 项目 级层授予这些角色。为了让用户能够创建和管理安全扫描,您需要将用户添加到项目中并使用角色授予他们权限。
Web Security Scanner 支持基本角色和预定义角色,后者提供对 Web Security Scanner 资源的更精细的访问权限。
基本 IAM 角色
下文介绍了基本角色授予的 Web Security Scanner 权限。
角色 | 说明 |
---|---|
Owner | 拥有所有 Web Security Scanner 资源的完整访问权限 |
Editor | 拥有所有 Web Security Scanner 资源的完整访问权限 |
Viewer | 无法拥有对 Web Security Scanner 的访问权限 |
预定义 IAM 角色
下面介绍了 Web Security Scanner 角色授予的 Web Security Scanner 权限。
Role | Permissions |
---|---|
Web Security Scanner Editor( Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Runner( Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Viewer( Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
如需详细了解 IAM 角色,请参阅 了解角色。