您可以使用 Security Command Center API,控制是否為組織啟用 Security Command Center 的資產探索功能。本指南說明如何取得機構的目前設定,以及如何使用 API 啟用資產探索功能。
除非您使用 Security Command Center API 中已淘汰的資產功能,或是 Google Cloud CLI 中與資產相關的 Security Command Center 指令,否則不需要進行資產探索。探索資產不會影響「資產」頁面顯示的資產。
您可以在機構、資料夾或專案層級授予 Security Command Center 的 IAM 角色。您能否查看、編輯、建立或更新發現項目、資產和安全性來源,取決於您獲准的存取層級。如要進一步瞭解 Security Command Center 角色,請參閱存取權控管。
事前準備
設定資產探索功能前,請先透過 Security Command Center API 進行驗證。
取得機構設定配置
Python
from google.cloud import securitycenter
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = client.organization_settings_path(organization_id)
org_settings = client.get_organization_settings(request={"name": org_settings_name})
print(org_settings)Java
static OrganizationSettings getOrganizationSettings(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to get OrganizationSettings for.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
GetOrganizationSettingsRequest.Builder request =
GetOrganizationSettingsRequest.newBuilder()
.setName(organizationName.toString() + "/organizationSettings");
// Call the API.
OrganizationSettings response = client.getOrganizationSettings(request.build());
System.out.println("Organization Settings:");
System.out.println(response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}Go
import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)
// getOrgSettings gets and prints the current organization asset discovery
// settings to w. orgID is the numeric Organization ID.
func getOrgSettings(w io.Writer, orgID string) error {
// orgID := "12321311"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %w", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
req := &securitycenterpb.GetOrganizationSettingsRequest{
Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
}
settings, err := client.GetOrganizationSettings(ctx, req)
if err != nil {
return fmt.Errorf("GetOrganizationSettings: %w", err)
}
fmt.Fprintf(w, "Retrieved Settings for: %s\n", settings.Name)
fmt.Fprintf(w, "Asset Discovery on? %v", settings.EnableAssetDiscovery)
return nil
}
Node.js
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function getOrgSettings() {
// organizationId is the numeric ID of the organization.
/*
* TODO(developer): Uncomment the following lines
*/
// const organizaionId = "111122222444";
const orgName = client.organizationPath(organizationId);
const [settings] = await client.getOrganizationSettings({
name: `${orgName}/organizationSettings`,
});
console.log('Current settings: %j', settings);
}
getOrgSettings();啟用資產探索
以下 API 呼叫會使用欄位遮罩,因此只會開啟或關閉資產探索設定。
Python
from google.cloud import securitycenter
from google.protobuf import field_mask_pb2
# Create the client
client = securitycenter.SecurityCenterClient()
# organization_id is numeric ID for the organization. e.g.
# organization_id = "111112223333"
org_settings_name = "organizations/{org_id}/organizationSettings".format(
org_id=organization_id
)
# Only update the enable_asset_discovery_value (leave others untouched).
field_mask = field_mask_pb2.FieldMask(paths=["enable_asset_discovery"])
# Call the service.
updated = client.update_organization_settings(
request={
"organization_settings": {
"name": org_settings_name,
"enable_asset_discovery": True,
},
"update_mask": field_mask,
}
)
print(f"Asset Discovery Enabled? {updated.enable_asset_discovery}")Java
static OrganizationSettings updateOrganizationSettings(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request to update OrganizationSettings for.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
OrganizationSettings organizationSettings =
OrganizationSettings.newBuilder()
.setName(organizationName.toString() + "/organizationSettings")
.setEnableAssetDiscovery(true)
.build();
FieldMask updateMask = FieldMask.newBuilder().addPaths("enable_asset_discovery").build();
UpdateOrganizationSettingsRequest.Builder request =
UpdateOrganizationSettingsRequest.newBuilder()
.setOrganizationSettings(organizationSettings)
.setUpdateMask(updateMask);
// Call the API.
OrganizationSettings response = client.updateOrganizationSettings(request.build());
System.out.println("Organization Settings have been updated:");
System.out.println(response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}Go
import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
"google.golang.org/genproto/protobuf/field_mask"
)
// Turns on asset discovery for orgID and prints out updated settings to w.
// settings. orgID is the numeric Organization ID.
func enableAssetDiscovery(w io.Writer, orgID string) error {
// orgID := "12321311"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %w", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
req := &securitycenterpb.UpdateOrganizationSettingsRequest{
OrganizationSettings: &securitycenterpb.OrganizationSettings{
Name: fmt.Sprintf("organizations/%s/organizationSettings", orgID),
EnableAssetDiscovery: true,
},
// Only update the asset discovery setting.
UpdateMask: &field_mask.FieldMask{
Paths: []string{"enable_asset_discovery"},
},
}
settings, err := client.UpdateOrganizationSettings(ctx, req)
if err != nil {
return fmt.Errorf("UpdateOrganizationSettings: %w", err)
}
fmt.Fprintf(w, "Updated Settings for: %s\n", settings.Name)
fmt.Fprintf(w, "Asset discovery on? %v\n", settings.EnableAssetDiscovery)
return nil
}
Node.js
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function updateOrgSettings() {
// organizationId is the numeric ID of the organization.
/*
* TODO(developer): Uncomment the following lines
*/
// const organizationId = "111122222444";
const orgName = client.organizationPath(organizationId);
const [newSettings] = await client.updateOrganizationSettings({
organizationSettings: {
name: `${orgName}/organizationSettings`,
enableAssetDiscovery: true,
},
// Only update the enableAssetDiscovery field.
updateMask: {paths: ['enable_asset_discovery']},
});
console.log('New settings: %j', newSettings);
}
updateOrgSettings();