Activate Security Command Center Premium tier for an organization

This document describes how to activate Security Command Center Premium for an organization through the Google Cloud console. Activating Security Command Center Premium automatically enables a variety of services.

For more information about Security Command Center Premium, see Security Command Center service tiers.

To activate Security Command Center for a different service tier, see the following:

To activate Security Command Center for a project only, see Activate Security Command Center for a project.

Before you begin

Before you activate Security Command Center Premium for an organization, you need to do the following:

  • Obtain specific Identity and Access Management (IAM) roles and permissions.
  • Review your organization policies, if applicable to your organization.
  • If you plan to enable data residency, review Planning for data residency and determine which location to use.
  • If you plan to use a customer-managed encryption key (CMEK), complete the required tasks for enabling CMEK for Security Command Center.

Required roles

To get the permissions that you need to activate Security Command Center for an organization, ask your administrator to grant you the following IAM roles on your organization:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Review organization policies

If your organization policies are set to restrict identities by domain, confirm the following:

  • You must be signed in to the Google Cloud console on an account that's in an allowed domain.
  • Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement lets you allow services that use the @*.gserviceaccount.com service account to access resources when domain restricted sharing is enabled.

If your organization policies are set to restrict resource usage, verify that the following APIs are allowed by your policy:

  • cloudsecuritycompliance.googleapis.com
  • securitycenter.googleapis.com
  • securitycentermanagement.googleapis.com

Activate Security Command Center Premium

You can activate Security Command Center Premium for an organization through the Google Cloud console.

  1. In the Google Cloud console, go to the Security Command Center welcome page.

    Go to Security Command Center

  2. Select the organization that you want to enable Security Command Center Premium for, and then click Select.

  3. On the welcome page, select Start a Premium free trial.

  4. Optional: To enable data residency and data encryption, click Show more.

    For more information about data residency, see Planning for data residency.

    For more information about data encryption, see Enable CMEK for Security Command Center. If your organization uses CMEK organization policies you might only have the option to choose CMEK or specific keys. If you don't use CMEK with Security Command Center, then Google encrypts data at rest using Google-owned and Google-managed encryption keys.

  5. Click Activate.

As results become available, they are displayed in the console. Then you can use the Google Cloud console to review and remediate Google Cloud security and data risks.

Security Command Center completes its first full scan within 24 hours. There might be a delay before scans are started for some services. For more information, see When to expect findings in Security Command Center.

Services for Security Command Center Premium

After you activate Security Command Center Premium, specific services are automatically enabled, and service agents are created so that these services can act on your behalf.

Services

Security Command Center uses detection services to detect security issues in your cloud environments. The following services are enabled when you activate Security Command Center Premium:

Refer to each service's documentation for usage and optimization instructions. As an example, Event Threat Detection relies on logs generated by Google Cloud. Some logs are always on, so Event Threat Detection can start scanning these logs as soon as it is enabled. Other logs, such as most data access audit logs, must be activated before Event Threat Detection can scan them.

The services outlined in this section, and additional services, can be enabled or disabled by following the steps in Configure Security Command Center services.

Service agents

A service agent is a service account created and managed by Google Cloud to access resources on your behalf. After a service agent is created, Security Command Center automatically grants required IAM roles to the service agent. Security Command Center Premium activation includes the following service agents:

Modify your Security Command Center service

This section describes the following scenarios:

  • Changing from a project-level to an organization-level activation of Premium tier

  • Changing to pay-as-you-go pricing as an organization using an expiring Premium tier subscription

  • Upgrading from Standard tier to Premium tier

  • Downgrading from Premium tier to Standard tier

Any of these changes might affect pricing. For more details, see Security Command Center pricing.

Change to organization-level activation of the Premium tier

To change from a project-level activation to an organization-level activation, follow the instructions in Activate Security Command Center Premium at the organization level.

Change to the Premium tier pay-as-you-go option

If your organization uses a Security Command Center Premium tier subscription, you can enroll in pay-as-you-go pricing before your subscription expires to provide uninterrupted access to Security Command Center Premium.

To enroll in pay-as-you-go pricing, complete the following steps:

  1. In the Google Cloud console, go to the Tier Detail page.

    Go to Tier Detail

  2. Select the organization that you want to change the pricing option for, and then click Select.

  3. Click Manage tier.

  4. In the Manage tier pane, verify that Premium is selected and click Update.

Once you have completed these steps and your subscription expires, the pay-as-you-go pricing takes effect.

Upgrade from the Standard tier to the Premium tier

Complete the following steps to change from the Security Command Center Standard tier to the Security Command Center Premium tier.

  1. In the Google Cloud console, go to the Tier Detail page.

    Go to Tier Detail

  2. Select the organization that you want to upgrade the Security Command Center tier for, and then click Select.

  3. Click Upgrade to premium.

  4. In the Manage tier pane, click Update.

Downgrade from the Premium tier to the Standard tier

Complete the following steps to change from the pay-as-you-go payment option for the Security Command Center Premium tier to the Security Command Center Standard tier. By default, if you have a subscription, you are automatically downgraded to the Standard tier when the subscription expires.

When you downgrade to the Security Command Center Standard tier, you lose access to Premium tier services and features. Verify that your organization's security risk profile isn't negatively affected before you make this change.

Even though the Security Command Center Standard tier is free, you might still experience indirect charges. For more information, see Possible indirect charges associated with Security Command Center.

  1. In the Google Cloud console, go to the Tier Detail page.

    Go to Tier Detail

  2. Select the organization that you want to downgrade the Security Command Center tier for, and then click Select.

  3. Click Manage tier.

  4. In the Manage tier pane, click Select for the Standard tier and click Update.

Deactivate Security Command Center

To deactivate Security Command Center, contact Cloud Customer Care.

What's next