Assets are an organization's Google Cloud resources, like Compute Engine instances or Cloud Storage buckets.
This guide shows you how to use Security Command Center client libraries to access the deprecated records that Security Command Center maintains for the assets in a project or organization.
Security Command Center keeps records for only a subset of the assets in Cloud Asset Inventory. For the most complete list of assets in your environment, use Cloud Asset Inventory to list assets.
For more information, see the following:
Grant-levels for IAM roles
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Before you begin
Before you set up a source, you need to complete the following:
Page Size
All Security Command Center list APIs are paginated. Each response returns a page of results and a token to return the next page. The page size is configurable. The default pageSize is 10, it can be set to a minimum of 1, and maximum of 1000.
Resource types
The resourceType
attribute in Security Command Center uses a different naming
convention than Cloud Asset Inventory. For
a list of resource type formats, see Supported asset types in
Security Command Center.
List all assets
These examples show how to list all assets:
gcloud
To list all assets in a project, folder, or organization, run the following command:
gcloud scc assets list PARENT_ID
Replace PARENT_ID
with one of the following values:
- An organization ID in the following format:
ORGANIZATION_ID
(the numerical ID only) - A folder ID in the following format:
folders/FOLDER_ID
- A project ID in the following format:
projects/PROJECT_ID
For more examples, run:
gcloud scc assets list --help
For examples in the documentation, see gcloud scc assets list.
Python
Java
Go
Node.js
The output for each asset is a JSON object that resembles the following:
asset:
createTime: '2020-10-05T17:55:14.823Z'
iamPolicy:
policyBlob: '{"bindings":[{"role":"roles/owner","members":["serviceAccount:SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com","user:USER_EMAIL@gmail.com"]}]}'
name: organizations/ORGANIZATION_ID/assets/ASSET_ID
resourceProperties:
createTime: '2020-10-05T17:36:17.915Z'
lifecycleState: ACTIVE
name: PROJECT_ID
parent: '{"id":"ORGANIZATION_ID","type":"organization"}'
projectId: PROJECT_ID
projectNumber: 'PROJECT_NUMBER'
securityCenterProperties:
resourceDisplayName: PROJECT_ID
resourceName: //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER
resourceOwners:
- serviceAccount:SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
- user:USER_EMAIL@gmail.com
resourceParent: //cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID
resourceParentDisplayName: ORGANIZATION_NAME
resourceProject: //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER
resourceProjectDisplayName: PROJECT_ID
resourceType: google.cloud.resourcemanager.Project
securityMarks:
name: organizations/ORGANIZATION_ID/assets/ASSET_ID/securityMarks
updateTime: '2020-10-05T17:55:14.823Z'
Filter assets
A project, folder, or organization might have many assets. The preceding example doesn't use any filters, so all assets are returned. Security Command Center lets you use asset filters to get information about specific assets. Filters are like "where" clauses in SQL statements except, instead of columns, they apply to the objects returned by the API.
The sample output in the preceding example shows some fields and subfields, and their properties, that can be used in asset filters. Security Command Center supports full JSON arrays and objects as potential property types. You can filter on:
- Array elements
- Full JSON objects with partial string match within the object
- JSON object subfields
Sub-fields must be numbers, strings, or booleans and filter expressions must use the following comparison operators:
- Strings:
- Full equality
=
- Partial string matching
:
- Full equality
- Numbers:
- Inequalities
<
,>
,<=
,>=
- Equality
=
- Inequalities
- Booleans:
- Equality
=
- Equality
The following examples filter assets:
gcloud
Use the following command to filter assets:
gcloud scc assets list PARENT_ID --filter="FILTER"
Replace the following:
FILTER
with the filter you need to use. For example, the following filter returns only project resources:--filter="security_center_properties.resource_type=\"google.cloud.resourcemanager.Project\""
PARENT_ID
with one of the following values:- An organization ID in the following format:
ORGANIZATION_ID
(the numerical ID only) - A folder ID in the following format:
folders/FOLDER_ID
- A project ID in the following format:
projects/PROJECT_ID
- An organization ID in the following format:
For more examples, run:
gcloud scc assets list --help
For examples in the documentation, see gcloud scc assets list.
Python
Java
Go
Node.js
List at a point in time
The previous examples show how to list a current set of assets. Security Command Center also enables you to view a historical snapshot of assets. The following examples return the state of all assets at a specific point in time. Security Command Center supports millisecond time resolutions.
gcloud
Use the following command to list assets as of a specific point in time:
gcloud scc assets list PARENT_ID --read-time="READ_TIME"
Replace the following:
READ_TIME
with the time at which to list assets. Use the following format:YYYY-MM-DDThh:mm:ss.ffffffZ
. For example:--read-time="2022-12-21T07:00:06.861Z"
PARENT_ID
with one of the following values:- An organization ID in the following format:
ORGANIZATION_ID
(the numerical ID only) - A project ID in the following format:
projects/PROJECT_ID
- A folder ID in the following format:
folders/FOLDER_ID
- An organization ID in the following format:
For more examples, run:
gcloud scc assets list --help
For examples in the documentation, see gcloud scc assets list.
Python
Java
Go
Node.js
List assets with state changes
Security Command Center lets you compare an asset at two points in time to identify
if it was added, removed, or present during the specified time period. The
following examples compare projects that exist at READ_TIME
to a previous
point in time specified by COMPARE_DURATION
. COMPARE_DURATION
is provided in
seconds.
When COMPARE_DURATION
is set, the stateChange
attribute on list asset
results is updated with one of the following values:
ADDED
: the asset was not present at the start ofcompareDuration
, but present atreadTime
.REMOVED
: the asset was present at the start ofcompareDuration
, but not present atreadTime
.ACTIVE
: the asset was present at both the start and the end of the time period defined bycompareDuration
andreadTime
.
gcloud
Use the following command to compare the state of assets at two points in time:
gcloud scc assets list PARENT_ID \ --filter="FILTER" \ --read-time=READ_TIME \ --compare-duration=COMPARE_DURATION
Replace the following:
COMPARE_DURATION
with a number of seconds that defines a point in time prior to the time that is specified on the--read-time
flag. For example:--compare-duration=84600s
FILTER
with the filter you need to use. For example, the following filter returns only project resources:--filter="security_center_properties.resource_type=\"google.cloud.resourcemanager.Project\""
PARENT_ID
with one of the following values:- An organization ID in the following format:
ORGANIZATION_ID
(the numerical ID only) - A project ID in the following format:
projects/PROJECT_ID
- A folder ID in the following format:
folders/FOLDER_ID
- An organization ID in the following format:
READ_TIME
with the time at which to list assets. Use the following format:YYYY-MM-DDThh:mm:ss.ffffffZ
. For example: For more examples, run:--read-time="2022-12-21T07:00:06.861Z"
gcloud scc assets list --help
For examples in the documentation, see gcloud scc assets list.
Python
Java
Go
Node.js
Filter examples
The following are some other useful asset filters. You can use AND
and OR
in
filters to combine parameters and expand or refine results.
Find a Project Asset with a specific owner
"security_center_properties.resource_type = \"google.cloud.resourcemanager.Project\" AND security_center_properties.resource_owners : \"$USER\""
$USER
is typically in the format user:someone@domain.com
. The comparison
for user
uses the substring operator :
and an exact match isn't necessary.
Firewall rules that have open HTTP Ports
"security_center_properties.resource_type = \"google.compute.Firewall\" AND resource_properties.name =\"default-allow-http\""
Resources that belong to specific projects
"security_center_properties.resource_parent = \"$PROJECT_1_NAME\" OR security_center_properties.resource_parent = \"$PROJECT_2_NAME\""
$PROJECT_1_NAME
and $PROJECT_2_NAME
are resource identifiers in the form of
//cloudresourcemanager.googleapis.com/projects/$PROJECT_ID
, where
$PROJECT_ID
is the project number. A complete example would be something
like: //cloudresourcemanager.googleapis.com/projects/100090906
Finding Compute Engine images whose names contain a specific string
This filter returns Compute Engine images that contain substring "Debia":
"security_center_properties.resource_type = \"google.compute.Image\" AND resource_properties.name : \"Debia\""
Resources whose properties contain key-value pairs
This filter returns Cloud Storage buckets where bucketPolicyOnly
is
disabled. The value of resourceProperties.iamConfiguration
is encoded as a
string. You use the \
character to escape special characters in strings,
including the operator :
between the key name and value.
"resourceProperties.iamConfiguration:"\"bucketPolicyOnly\"\:{\"enabled\"\:false""
Finding Project Assets created at or before a specific time
These example filters match assets created at or before July 18, 2019 at
8:26:21PM GMT. With the create_time
filter, you can express time using the
following formats and types:
Unix time (in milliseconds) as an integer literal
"create_time <= 1563481581000"
RFC 3339 as a string literal
"create_time <= \"2019-07-18T20:26:21+00:00\""
Excluding assets from results
To exclude an asset from results, use negation by placing a -
character in
front of a parameter. The operation is similar to using the NOT operator in an
SQL statement.
This filter returns all project resources except Debia
:
"security_center_properties.resource_type = \"google.cloud.resourcemanager.Project\" AND -resource_properties.projectId = \"Debia\""
What's next
Learn more about accessing Security Command Center using a client library.