Activate the Security Command Center Standard tier or Premium tier for an organization

This page shows you how to activate the Security Command Center Standard tier or Premium tier for an organization. If Security Command Center is already set up for your organization, see the guide for using Security Command Center.

Security Command Center provides three service tiers: Standard, Premium, and Enterprise. The tier that you select determines the features that are available to you and the cost of using Security Command Center. To activate the Enterprise tier, see Activate the Security Command Center Enterprise tier.

To activate the Security Command Center Premium tier at the organization level, you select a self-service, pay-as-you-go pricing option in the Google Cloud console.

You can enable data residency controls when you are activating Security Command Center for the first time. After activation, you cannot enable or disable data residency controls. For more information, see Data residency support.

For detailed information about the built-in Security Command Center services that are available with the each tier, see Security Command Center tiers.

For information about costs associated with using Security Command Center, see the pricing page.

To activate Security Command Center for a project only, see Activate Security Command Center for a project.

Prerequisites

Before you activate Security Command Center, you need an organization, the proper Identity and Access Management (IAM) permissions, and the proper organization policies.

Create an organization

Security Command Center requires an organization resource that is associated with a domain. If you haven't created an organization, see Creating and managing organizations.

Set up permissions

To set up Security Command Center, you need the following IAM roles:

  • Organization Admin roles/resourcemanager.organizationAdmin
  • Security Center Admin roles/securitycenter.admin
  • Security Admin roles/iam.securityAdmin
  • Create Service Accounts roles/iam.serviceAccountCreator

Learn more about Security Command Center roles.

Verify organization policies

If your organization policies are set to restrict identities by domain:

  • You must be signed in to the Google Cloud console on an account that's in an allowed domain.
  • Your service accounts must be in an allowed domain, or members of a group within your domain. This requirement lets you allow services that use the @*.gserviceaccount.com service account to access resources when domain restricted sharing is enabled.

If your organization policies are set to restrict resource usage, verify that securitycenter.googleapis.com is permitted.

Activation scenarios for an organization

This page covers the following activation scenarios:

  • In an organization that has never activated Security Command Center, activate the Premium tier or Standard tier of Security Command Center for an organization.
  • In an organization that uses the Standard tier, activate the Security Command Center Premium tier for the organization.
  • In an organization that uses an expiring Premium tier subscription, change to the pay-as-you-go pricing option.

Activate Security Command Center for an organization for the first time

To activate Security Command Center for an organization for the first time, you follow a guided activation process in the Google Cloud console to choose a service tier, enable data residency controls, and enable the detection services that you need. Then, you select the resources or assets to monitor and grant permissions to the required service accounts.

Complete the following steps to activate the Security Command Center Premium tier at the organization level.

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. On the Organization list, select the organization that you want to enable Security Command Center for, and then click Select.

    The Get Security Command Center window opens.

  3. In Select tier, select a tier.

  4. Click Next. The Select services page opens.

  5. Optional: Enable Security Command Center data residency controls by selecting the following options:

    1. Under Data residency, select Enable data residency.

      When data residency is enabled, if a Security Command Center service detects a security issue in a resource that is located in a Security Command Center supported data location, Security Command Center automatically stores the resulting finding record in the same Security Command Center location where the is located affected resource.

    2. In the Select a default location field, select the default Security Command Center location in which to store findings for resources that are either not in a location that Security Command Center supports or that don't specify a location in their metadata.

  6. In the Services section, enable the built-in Security Command Center services that you need. Each enabled service scans all supported resources and reports findings for your entire organization. To disable any of the services, click the list next to the service name and select Disable.

    If the Standard tier is enabled, you can configure the enablement of Premium services before you activate the Premium tier. The configuration doesn't apply until you activate the Premium tier for the organization at a later time.

    The following are notes for specific services:

    • For Container Threat Detection to function properly, make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE) and that your GKE clusters are properly configured. For more information, see Using Container Threat Detection.

    • Event Threat Detection relies on logs generated by Google Cloud. To use Event Threat Detection, enable logs for your organization, folders, and projects.

    • Anomaly Detection findings are automatically available in Security Command Center. Anomaly Detection can be disabled after onboarding by following the steps in Configure Security Command Center services.

    • Though not listed, the security posture service is enabled automatically when you select the Premium tier.

  7. In Grant roles, grant the required IAM roles to the service agents for Security Command Center.

    By granting the roles to the service agents, you are providing the permissions that Security Command Center and its detection services need to perform their functions.

    The service account names are in the following formats:

    • service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com.

      You grant the securitycenter.serviceAgent IAM role to this service account.

    • service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com.

      You grant the roles/containerthreatdetection.serviceAgent IAM role to this service account.

    In place of ORGANIZATION_ID, the service account contains the numerical identifier of your organization.

    To add the roles, click Grant Roles.

    Alternatively, you can grant the roles manually, by completing the following steps:

    1. Expand the grant roles manually section and copy the gcloud CLI command.
    2. On the Google Cloud console toolbar, click Activate Cloud Shell.
    3. In the terminal window that appears, paste the gcloud CLI commands you copied, and then press Enter.

    To learn about the permissions associated with these roles, see access control. Complete one of the following items:

  8. In Complete setup, review the information and click Finish.

    When you finish setup, Security Command Center starts an initial asset scan, after which you can use the Google Cloud console to review and remediate Google Cloud security and data risks across your project.

    There may be a delay before scans are started for some products. Read Security Command Center latency overview to learn more about the activation process.

  9. Check the documentation for each service to see if you can test or optimize the service further.

    For example, Event Threat Detection relies on logs generated by Google Cloud. Some logs are always on, so Event Threat Detection can start scanning them as soon as it is enabled. Other logs, such as most data access audit logs, must be activated before Event Threat Detection can scan them. For more information, see Log types and activation requirements.

    For more information about testing and using each of the built-in services, see the following pages:

Upgrade from the Standard tier to the Premium tier

Complete the following steps to upgrade from the Security Command Center Standard tier to the Security Command Center Premium tier. If you want to use a subscription, contact Google Cloud sales first.

Complete this task when your organization requires the additional threat detection and security posture capabilities that the Security Command Center Premium tier offers.

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. On the Organization list, select the organization that you are upgrading to the Security Command Center Premium tier, and then click Select.

  3. On the Security Command Center page, click Get Premium.

  4. In Change tier, verify that Premium is selected. Click Next.

  5. In Review services, enable the services that you need.

  6. Click Update your tier.

Change from a subscription option of the Premium tier to the pay-as-you-go option

If you previously activated the Security Command Center Premium tier using a subscription, then you can enroll Security Command Center in pay-as-you-go pricing before your subscription expires. This enrollment ensures that your organization doesn't lose the security functionality that the Security Command Center Premium tier offers. This pricing change becomes effective after your subscription expires.

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. On the Organization list, select the organization that you want to change the pricing option for, and then click Select.

  3. On the Security Command Center Overview page, click Settings. The Settings page opens and displays the Services tab.

  4. On the Settings page, click Tier detail. The Tier page opens.

  5. Click Manage tier.

  6. In the Change tier page, verify that Premium is selected and click Next.

  7. In the Review services page, review the services that you enabled and click Update your tier.

Downgrade from the pay-as-you-go option of Premium tier to the Standard tier

Complete the following steps to change from the pay-as-you-go payment option for the Security Command Center Premium tier to the Security Command Center Standard tier. By default, if you have a subscription, you are automatically downgraded to the Standard tier when the subscription expires.

When you downgrade to the Security Command Center Standard tier, you lose access to Premium tier services and functionality. Verify that your organization's security risk profile isn't negatively affected before you make this change.

Even though the Security Command Center Standard tier is free, you might still experience indirect charges. For more information, see Possible indirect charges associated with Security Command Center.

If you upgrade back to the Premium tier at the organization level after completing this task, your configuration settings for the Premium tier services are restored.

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. On the Organization list, select the organization that you want to downgrade the Security Command Center tier for, and then click Select.

  3. On the Security Command Center Overview page, click Settings. The Settings page opens and displays the Services tab.

  4. On the Settings page, click Tier detail. The Tier page opens.

  5. Click Manage tier.

  6. In the Change tier page, verify that Standard is selected and click Next.

  7. In the Review services page, review the services that you enabled and click Update your tier.

Change from project-level to organization-level activation of the Premium tier

To change from a project-level activation to an organization-level activation, you can follow the activation process that is described in Activate Security Command Center for an organization for the first time.

The following pricing changes apply:

  • The use of the Security Command Center Premium tier is covered by the organization-level activation.
  • The pricing terms for the organization-level activation of Security Command Center become the effective pricing terms. Charges are reported against the projects where the usage occurs.

If you change to an organization-level activation, don't delete the Security Command Center service account that was created when you activated Security Command Center at the project-level. Certain Security Health Analytics detectors might not work correctly if you do delete the service account.

Monitor your costs with the Premium tier

To monitor the costs associated with the Security Command Center Premium tier, you can use Cloud Billing. You can export billing data to BigQuery for detailed analysis, or create a budget with spending alerts. For more information, see Monitor costs.

What's next