Data residency gives you more control over where Security Command Center stores your findings and other data. When you enable data residency, Security Command Center does the following:
If possible, Security Command Center stores findings in the Google Cloud multi-region where your resources are located.
Otherwise, findings are stored in a default location that you choose.
Security Command Center stores some types of configuration resources in a location that you choose.
In all other cases, Security Command Center stores your data globally.
This page provides essential information about using data residency. The following definitions apply to this page:
- A location is a Google Cloud region or multi-region that corresponds to the location in which your data is stored.
- The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.
Requirements for data residency
You can enable data residency only when you activate the Standard or Premium tier of Security Command Center in an organization for the first time. The Enterprise tier doesn't support data residency.
After data residency is enabled, you can't disable it or change your default location.
Data residency requires you to use the Security Command Center v2 API. If data residency is enabled, then you can't use earlier versions of the Security Command Center API.
When data residency is enabled, the following features, functions, and integrations with other products are not supported:
- AI summaries
- Web Security Scanner
- Terraform
If you don't enable data residency when you activate Security Command Center, then
the location of your Security Command Center resources is set to Global (global
),
and Security Command Center does not restrict the storage of your data to any
particular location.
Supported data locations
Security Command Center supports only the following Google Cloud multi-regions as data locations:
- European Union (
eu
) - Data is stored in any Google Cloud region within member states of the European Union.
- United States (
us
) - Data is stored in any Google Cloud region in the United States.
- Global (
global
) - Data can be stored or processed in any Google Cloud region. If data
residency is not enabled, then Global (
global
) is the only supported location.
For more information about Security Command Center locations, see Products available by location.
If you need to specify a default location for data residency that Security Command Center doesn't support, then contact your account representative or a Google Cloud sales specialist.
Default data location
When you enable Security Command Center data residency, you specify a default Security Command Center location. You can select any supported data location as your default location.
Security Command Center uses the default location only to store findings that apply to the following types of resources:
- Resources that are not located in a supported data location for Security Command Center
- Resources that don't specify a location in their metadata
If you deploy Google Cloud resources in multiple locations or
multi-regions, then you might choose the Global (global
) location as your
default.
If you deploy resources only in a single location, then you might choose the multi-region that includes that location as your default.
Security Command Center resources and data residency
The following list explains how Security Command Center applies data residency controls to Security Command Center resources. If a resource isn't listed here, then it's stored globally.
- Assets
Asset metadata is not subject to data residency control and is stored globally in Cloud Asset Inventory.
For this reason, the Security Command Center Assets page in the Google Cloud console always displays all of the resources in your organization, folder, or project, regardless of their location or the location that you select in the Google Cloud console. However, when data residency is enabled, and you view an asset's details, the Assets page does not show information about findings that affect the asset.
- Attack exposure scores and attack paths
Attack exposure scores and attack paths are not subject to data residency controls and are stored globally.
- BigQuery exports
BigQuery export configurations are subject to data residency controls. When you create them, you specify the location where they're stored. These configurations apply only to findings that reside in the same location.
The Security Command Center API represents BigQuery export configurations as
BiqQueryExport
resources.- Continuous exports
Continuous export configurations are subject to data residency controls. When you create them, you specify the location where they're stored. These configurations apply only to findings that reside in the same location.
The Security Command Center API represents continuous export configurations as
NotificationConfig
resources.- Findings
Findings are subject to data residency controls. When a finding is created, it's stored in the Security Command Center location where the affected resource is located.
If an affected resource is located outside of a supported location or has no location identifier, then findings for the resource are stored in your default location.
- Mute rules
Mute rule configurations are subject to data residency controls. When you create them, you specify the location where they're stored. These configurations apply only to findings that reside in the same location.
The Security Command Center API represents mute rule configurations as
MuteConfig
resources.- Other Security Command Center resources and settings
Security Command Center resources and settings that aren't listed here, such as those that define which services are enabled or which tier is active, are not subject to data residency controls and are stored globally.
Create or view data in a location
When data residency is enabled, you must specify a location when you create or view any data that's subject to data residency controls. Security Command Center automatically chooses a location for findings that it creates.
You can create or view data in only one location at a time. For example, if you
list findings in the Global (global
) location, then you won't see findings in
the European Union (eu
) location.
To create or view data that resides in a Security Command Center location, do the following:
Console
In the Google Cloud console, go to Security Command Center.
To change the data location, click the location selector in the action bar.
A list of locations appears. Select the new location.
gcloud
Use the --location=LOCATION
flag when you run the
Google Cloud CLI, as shown in the following example.
The
gcloud scc findings list
command lists an organization's findings in a specific location.
Before using any of the command data below, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization -
LOCATION
: the location where the data is stored; for example,eu
orglobal
Execute the
gcloud scc findings list
command:
Linux, macOS, or Cloud Shell
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
Windows (PowerShell)
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
Windows (cmd.exe)
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
The response contains a list of findings.
REST
Use an API endpoint that includes locations/LOCATION
in
the path, as shown in the following example.
The Security Command Center API's
organizations.sources.locations.findings.list
method lists an organization's findings in a specific location.
Before using any of the request data, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization -
LOCATION
: the location where the data is stored; for example,eu
orglobal
HTTP method and URL:
GET https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings
To send your request, expand one of these options:
The response contains a list of findings.
What's next
- Learn how to activate Security Command Center with data residency enabled.
- Enable Security Command Center to stream findings to BigQuery.
- Set up continuous exports from Security Command Center to Pub/Sub.
- Create a mute rule for findings.