Manage a security posture

This page describes how you can configure and use the security posture service after you activate Security Command Center. To start, you must create a posture that includes your policies, organized in policy sets, and then deploy the posture using a posture deployment. After a posture is deployed, you can monitor for drift and further refine your posture over time.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate the Security Command Center Premium or Enterprise tier

Verify that the Security Command Center Premium tier or Enterprise tier is activated at the organization level.

If you want to use Security Health Analytics detectors as policies, select the Security Health Analytics service during the activation process.

Set up permissions

To get the permissions that you need to use posture, ask your administrator to grant you the Security Posture Admin (roles/securityposture.admin) IAM role. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For more information about security posture roles and security posture permissions, see IAM for organization-level activations.

Set up Google Cloud CLI

You must use Google Cloud CLI version 461.0.0 or later.

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

To set up the gcloud CLI to use service account impersonation to authenticate to Google APIs, rather than your user credentials, run the following command:

gcloud config set auth/impersonate_service_account SERVICE_ACCT_EMAIL

For more information, see Service account impersonation.

Enable APIs

Enable the Organization Policy Service and the security posture service APIs:

gcloud services enable orgpolicy.googleapis.com  securityposture.googleapis.com

Configure connection to AWS

To use built-in Security Health Analytics detectors that are specific to AWS, you must activate Security Command Center Enterprise and connect to AWS for vulnerability detection.

Create and deploy a posture

To start using a security posture, you must complete the following:

  • Create a posture YAML file that defines the policies that apply to your security posture.

  • Create a posture in Google Cloud that is based on the posture YAML file.

  • Deploy the posture.

The following sections provide detailed instructions.

Create a posture YAML file

A posture consists of one or more policy sets that you deploy together. These policy sets include all the preventative and detective policies that you want to include in your posture.

To create your posture, do one of the following:

For details about the fields that you can use in a posture, see the Posture reference and the PolicySet reference.

Create a posture file from a predefined posture template

You can use a predefined posture template to create a posture file.

Console

  1. In the Google Cloud console, go to the Posture Management page.

    Go to Posture Management

  2. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. In the Templates tab, click the template that you want to use.

  4. In the Template details page, click Create Posture.

  5. Provide a unique name for the posture and click Create. The Posture details page opens.

  6. Complete one of the following actions:

    • If you can use the posture without making any changes (for example, you used one of the _essentials templates), you can deploy the posture. For instructions, see Deploy a posture.

    • If you need to modify any of the policy sets or policies (for example, you used one of the _enhanced templates), complete Modify a posture YAML file and set the posture state to ACTIVE.

gcloud

  1. Review the predefined posture templates to determine which ones apply to your environment. You can apply some of them without making any changes, but others require you to customize the policies to match your environment.

  2. Use one of the following methods to copy the YAML files into your own text editor:

    • Copy the YAML file from the reference content in predefined posture templates.

    • Run the gcloud scc posture-templates describe command to copy the YAML file.

    gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/LOCATION/postureTemplates/POSTURE_TEMPLATE \
    --revision-id=REVISION_ID

    Replace the following values:

    • ORGANIZATION_ID is the organization where you activated the Security Command Center Premium or Enterprise tier.

    • LOCATION is the location where you want to deploy and store the posture. The only supported location is global.

    • POSTURE_TEMPLATE is the template name of the predefined posture, as described in Predefined posture templates.

    • REVISION_ID is the revision version for the predefined posture. If you don't include the revision ID, the latest version of the predefined posture is displayed.

    For example, to view the secure AI, essentials predefined posture under the 3589215982 organization, run the following:

    gcloud scc posture-templates describe
    organizations/3589215982/locations/global/postureTemplates/secure_ai_essential
    --revision-id=v.1.0

  3. Complete one of the following actions:

    • If you can use the posture without making any changes (for example, you used one of the _essentials templates), you can create the posture. For instructions, see Create a posture.

    • If you need to modify any of the policy sets or policies, complete Modify a posture YAML file.

Create a posture file by extracting policies from an existing environment

You can extract the policies (organization policies, including custom policies and all Security Health Analytics detectors, including custom detectors) that you configured in an existing project, folder, or organization to create a posture file. You can't extract policies from an organization, folder, or project that already has a posture applied to it.

This command only extracts the policies that you previously configured for the organization, folder, or project and doesn't extract policies from parent folders or organization.

If you connected Security Command Center Enterprise to AWS, this command also extracts the detectors that are specific to AWS (Preview).

  1. Run the gcloud scc postures extract command to extract the existing organization policies and Security Health Analytics detectors in your environment.

    gcloud scc postures extract \
    POSTURE_NAME --workload=WORKLOAD

    Replace the following values:

    • POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

      • LOCATION is global.

      • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization. POSTURE_ID is limited to 63 characters.

    • WORKLOAD is the project, folder, or organization that you are extracting the policies from. The workload is one of the following:

      • projects/PROJECT_NUMBER

      • folder/FOLDER_ID

      • organizations/ORGANIZATION_ID

    For example, to extract policies from the 3589215982 folder under the 6589215984 organization, run the following:

    gcloud scc postures extract organizations/6589215984/locations/global/postures/myStagingPosture workload=folder/3589215982 > posture.yaml

  2. Open the resulting posture.yaml file for editing.

  3. Complete one of the following actions:

    • If you can use the posture without making any changes (for example, you used one of the _essentials templates), you can create the posture. For instructions, see Create a posture.

    • If you need to modify any of the policy sets or policies, complete Modify a posture YAML file.

Create a Terraform resource with policy definitions

You can create a Terraform configuration to create a posture resource.

For example, you can create a posture resource that includes built-in and custom organization policy constraints and built-in and custom Security Health Analytics detectors. Posture management support for built-in Security Health Analytics detectors that are specific to AWS is in Preview.

resource "google_securityposture_posture" "posture_example" {
  posture_id  = "<POSTURE_ID>"
  parent      = "organizations/<ORGANIZATION_ID>"
  location    = "global"
  state       = "ACTIVE"
  description = "a new posture"
  policy_sets {
    policy_set_id = "org_policy_set"
    description   = "set of org policies"
    policies {
      policy_id = "canned_org_policy"
      constraint {
        org_policy_constraint {
          canned_constraint_id = "storage.uniformBucketLevelAccess"
          policy_rules {
            enforce = true
          }
        }
      }
    }
  }
  policy_sets {
    policy_set_id = "sha_policy_set"
    description   = "set of sha policies"
    policies {
      policy_id = "sha_builtin_module"
      constraint {
        security_health_analytics_module {
          module_name             = "BIGQUERY_TABLE_CMEK_DISABLED"
          module_enablement_state = "ENABLED"
        }
      }
      description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
    }
    policies {
      policy_id = "aws_sha_builtin_module"
      constraint {
        security_health_analytics_module {
          module_name             = "S3_BUCKET_LOGGING_ENABLED"
          module_enablement_state = "ENABLED"
        }
      }
      description = "enable S3_BUCKET_LOGGING_ENABLED"
    }
    policies {
      policy_id = "sha_custom_module"
      constraint {
        security_health_analytics_custom_module {
          display_name = "custom_SHA_policy"
          config {
            predicate {
              expression = "resource.rotationPeriod > duration('2592000s')"
            }
            custom_output {
              properties {
                name = "duration"
                value_expression {
                  expression = "resource.rotationPeriod"
                }
              }
            }
            resource_selector {
              resource_types = ["cloudkms.googleapis.com/CryptoKey"]
            }
            severity       = "LOW"
            description    = "Custom Module"
            recommendation = "Testing custom modules"
          }
          module_enablement_state = "ENABLED"
        }
      }
    }
  }
}

For more information, see google_securityposture_posture.

Modify a posture YAML file

Complete the following steps to modify a posture YAML file:

  1. Open your posture YAML file in a text editor.

  2. Verify the name, description, and state at the beginning of the file.

    name: organizations/ORGANIZATION_ID/locations/LOCATION/posture/POSTURE_ID
    description: DESCRIPTION
    state: STATE
    

    For details about these fields, see the Posture reference.

    For example:

    name: organizations/3589215982/locations/global/posture/stagingAIPosture
    description: This posture applies to staging environments for Vertex AI.
    state: ACTIVE
    
  3. Customize the policies within the file to meet your requirements.

    For details about the fields that you can use, see the PolicySet reference.

    1. Review the existing policies and their values. For policies that require information that is specific to your environment, set the values appropriately. For example, for the ainotebooks.accessMode policy in the secure AI, extended predefined posture, add the allowed modes of access under policy_rules:

        - policy_id: Define access mode for Vertex AI Workbench notebooks and instances
          compliance_standards:
          - standard: NIST SP 800-53
            control: AC-3(3)
          - standard: NIST SP 800-53
            control: AC-6(1)
          constraint:
            org_policy_constraint:
              canned_constraint_id: ainotebooks.accessMode
              policy_rules:
              - values:
                  allowed_values: service-account
          description: This list constraint defines the modes of access allowed to Vertex AI Workbench notebooks and instances where enforced. The allow or deny list can specify multiple users with the service-account mode or single-user access with the single-user mode. The access mode to be allowed or denied must be listed explicitly.
      
    2. Add additional organization policy constraints, as documented in Organization policy constraints. If you are defining a custom organization policy, ensure that the YAML file includes the custom constraint definition. You can't use a custom constraint that you created using other methods (for example, using the Google Cloud console). For example, you might want to set the compute.trustedImageProjects constraint to define projects can be used for image storage and disk instantiation. If you copy this example, ensure that you replace allowed_values with suitable list of projects:

        - policy_id: Define projects with trusted images.
          compliance_standards:
          - standard:
            control:
          constraint:
            org_policy_constraint:
              canned_constraint_id: compute.trustedImageProjects
              policy_rules:
              - values:
                  allowed_values:
                  - project1
                  - project2
                  - projectN
          description: This is a complete list of projects from which images can be used.
      
    3. Add additional Security Health Analytics detectors, such as those documented in Security Health Analytics findings. For example, add a Security Health Analytics detector to create a finding if a project is not using an API key for authentication:

        - policy_id: API Key Exists
          constraint:
            securityHealthAnalyticsModule:
              moduleEnablementState: ENABLED
              moduleName: API_KEY_EXISTS
      

      As another example, add a Security Health Analytics custom module to detect whether Vertex AI datasets are encrypted:

        - policy_id: CMEK key is use for Vertex AI DataSet
          compliance_standards:
          - standard: NIST SP 800-53
            control: SC-12
          - standard: NIST SP 800-53
            control: SC-13
          constraint:
            security_health_analytics_custom_module:
              display_name: "vertexAIDatasetCMEKDisabled"
              config:
                customOutput: {}
                predicate:
                  expression: "!has(resource.encryptionSpec)"
                resource_selector:
                  resource_types:
                  - aiplatform.googleapis.com/Dataset
                severity: CRITICAL
                description: "When enforced, this detector finds whether a dataset is not encrypted using CMEK."
                recommendation: "Restore the SHA module. See https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview."
              module_enablement_state: ENABLED
      

      As another example, for Security Command Center Enterprise, add a Security Health Analytics detector that's specific to AWS (Preview):

      - policy_set_id: AWS policy set
        description:  Policy set containing AWS built-in SHA modules for securing S3 buckets.
        policies:
        - policy_id: S3 bucket replication enabled
          compliance_standards:
          - standard: NIST 800-53 R5
            control: SI-13(5)
          constraint:
            securityHealthAnalyticsModule:
              moduleEnablementState: ENABLED
              moduleName: S3_BUCKET_REPLICATION_ENABLED
          description: This control checks whether an Amazon S3 bucket has Cross-Region Replication enabled. The control fails if the bucket does not have Cross-Region Replication enabled or if Same-Region Replication is also enabled.
      
        - policy_id: S3 bucket logging enabled
          compliance_standards:
          - standard: NIST 800-53 R5
            control: SI-7(8)
          - standard: PCI DSS 3.2.1
            control: 10.3.1
          constraint:
            securityHealthAnalyticsModule:
              moduleEnablementState: ENABLED
              moduleName: S3_BUCKET_LOGGING_ENABLED
          description: AWS S3 Server Access Logging feature records access requests to storage buckets which is useful for security audits. By default, server access logging is not enabled for S3 buckets.
      

      If you add a detector that's specific to AWS, you must deploy the posture at the organization level.

  4. Upload your posture file to a version-controlled source repository so that you can track the changes that you make to it over time.

Create a posture

Complete this task to create a posture resource in Security Command Center that you can deploy. If you created a posture from a predefined posture template using the Google Cloud console, the posture resource is created automatically for you.

gcloud

  1. Run the gcloud scc postures create command to create a posture using the posture.yaml file.

    gcloud scc postures create \
    POSTURE_NAME --posture-from-file=POSTURE_FROM_FILE

    Replace the following values:

    • POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

      • LOCATION is global.

      • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization. POSTURE_ID is limited to 63 characters.

    • POSTURE_FROM_FILE is the relative or absolute path to the posture.yaml file.

    For example, to create a posture with the ID posture-example-1 under the organization organizations/3589215982, run the following:

    gcloud scc postures create organizations/3589215982/locations/global/postures/posture-example-1 --posture-from-file=posture.yaml

    If the posture creation process fails, delete the posture, troubleshoot the error, and try again.

  2. To verify that the posture created successfully, see View a posture.

To apply this posture to your environment, you must deploy the posture.

Terraform

If you created a Terraform configuration for the posture resource, you must provision it using your infrastructure-as-code pipeline.

For more information, see Terraform on Google Cloud.

Deploy a posture

After you create a posture, you deploy it to a project, folder, or organization so that you can apply the policies and their definitions to specific resources in your organization and monitor for drift. You can only deploy one posture to a project, folder, or organization.

Verify that your posture state is ACTIVE.

When you deploy the posture, the following actions occur:

  • The definitions for organization policies and Security Health Analytics detectors are applied.

  • The custom constraint for custom organization policies is created with constraint ID to include the posture revision ID as a suffix to the constraint ID that you defined in the posture.

  • The default state for the custom modules is set to Enabled.

Console

  1. In the Google Cloud console, go to the Posture Management page.

    Go to Posture Management

  2. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. In the Posture tab, click the posture that you want to deploy.

  4. In the Posture details page, select the revision of the posture that you want to deploy.

  5. Click Deploy to node.

  6. Select the organization, folder, or project that you want to deploy the posture to. If your posture includes a detector that's specific to AWS, you must deploy the posture at the organization level (Preview).

  7. Click Select.

  8. Repeat steps 5 through 7 for each organization, folder, or project that you want to apply the posture to.

gcloud

Run the gcloud scc posture-deployments create command to deploy a posture to a project, folder, or organization.

gcloud scc posture-deployments create \
POSTURE_DEPLOYMENT_NAME  --posture-name=POSTURE_NAME \
--posture-revision-id=POSTURE_REVISION_ID \
--target-resource=TARGET_RESOURCE

Replace the following values:

  • POSTURE_DEPLOYMENT_NAME is the relative resource name for the posture deployment. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postureDeployments/POSTURE_DEPLOYMENT_ID.

    • LOCATION is global.

    • POSTURE_DEPLOYMENT_ID is a unique name for the posture deployment. POSTURE_DEPLOYMENT_ID is limited to 63 characters.

  • --posture-name=POSTURE_NAME is the name for the posture that you're deploying. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

    • LOCATION is global.

    • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization.

  • --posture-revision-id=POSTURE_REVISION_ID is the posture revision that you want to deploy. You can obtain it from the response that you receive when you create the posture or view the posture.

  • --target-resource=TARGET_RESOURCE is the name of the organization, folder, or project that you want to deploy the posture on. You can use one of the following formats:

    • organizations/ORGANIZATION_ID
    • folders/FOLDER_ID
    • projects/PROJECT_NUMBER

    If your posture includes a detector that's specific to AWS, you must deploy the posture at the organization level (Preview).

For example, to deploy a posture, run the following command:

gcloud scc posture-deployments create
organizations/3589215982/locations/global/postureDeployments/postureDeployment123
--posture-name=organizations/3589215982/locations/global/postures/StagingAIPosture
--posture-revision-id=version1 --target-resource=projects/4589215982

You can view status information as the command completes. If the posture deployment creation process fails, delete the deployment, troubleshoot the error, and try again.

Terraform

You can create a Terraform resource to deploy a posture.

  resource "google_securityposture_posture_deployment" "posture_deployment_example" {
    posture_deployment_id          = "<POSTURE_DEPLOYMENT_ID>"
    parent = "organizations/<ORGANIZATION_ID>"
    location = "global"
    description = "a new posture deployment"
    target_resource = "<TARGET_RESOURCE>"
    posture_id = "<POSTURE_NAME>"
    posture_revision_id = "<POSTURE_REVISION_ID>"
  }

For more information, see google_securityposture_posture_deployment.

After you create the Terraform resource, provision it using your infrastructure-as-code pipeline.

View posture and posture deployment information

You can view posture and posture deployment information to see information such as the following:

  • What postures are deployed and where in the resource hierarchy (organizations, projects, and folders) they are applied

  • The revisions and state of postures

  • The operational details of a posture deployment

View a posture

You can view information about a posture (such as its state and policy definitions).

Console

  1. In the Google Cloud console, go to the Posture Management page.

    Go to Posture Management

  2. Select the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. In the Postures tab, click the posture that you want to view. The posture details appear.

gcloud

Run the gcloud scc postures describe command to see a posture that you created.

gcloud scc postures describe POSTURE_NAME \
--revision-id=REVISION_ID

Replace the following values:

  • POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

    • LOCATION is global.

    • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization.

  • revision-id=REVISION_ID is an optional flag that specifies which version of the posture to view. If you don't include the flag, the latest version is returned.

For example, to view a posture with the name organizations/3589215982/locations/global/postures/posture-example-1 and the revision ID abcdefgh, run the following:

gcloud scc postures describe \
organizations/3589215982/locations/global/postures/posture-example-1
--revision-id=abcdefgh

View information about a posture deployment operation

Run the gcloud scc posture-operations describe command to view the operation details for a posture deployment operation.

gcloud scc posture-operations describe OPERATION_NAME

Where OPERATION_NAME is the relative resource name for the operation. The format is organizations/ORGANIZATION_ID/LOCATION/global/operations/OPERATION_ID. LOCATION is the location where you deployed the posture deployment. You can obtain the OPERATION_ID by using the --async argument when you run the posture command.

For example, to view a scan operation with the name organizations/3589215982/locations/global/operations/operation-1694515698847-605272e4bcd7c-f93dade6-067467ae, run the following:

gcloud scc posture-operations describe
organizations/3589215982/locations/global/operations/operation-1694515698847-605272e4bcd7c-f93dade6-067467ae

View information about a posture deployment

You can view where a posture is deployed to, as well as the deployment state.

Console

  1. In the Google Cloud console, go to the Posture Management page.

    Go to Posture Management

  2. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. In the Postures tab, click the posture that you deployed.

  4. Click the Deployments tab. You can view the projects, folders, and organization that the posture is deployed to, as well as the deployment state.

gcloud

Run the gcloud scc posture-deployments describe command to view information about a deployed posture.

gcloud scc posture-deployments describe
POSTURE_DEPLOYMENT_NAME

Where POSTURE_DEPLOYMENT_NAME is the relative resource name for the posture deployment. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postureDeployments/POSTURE_DEPLOYMENT_ID.

  • LOCATION is global.

  • POSTURE_DEPLOYMENT_ID is a unique name for the posture deployment.

For example, to view the details for a posture deployment that is named organizations/3589215982/locations/global/postureDeployments/Posture-deployment-example-1, run the following:

gcloud scc posture-deployments describe \
organizations/3589215982/locations/global/postureDeployments/Posture-deployment-example-1

Update a posture and posture deployment

You can update the following:

  • The state of the posture.

  • The policy definitions in a posture.

  • The organization, folders, or projects that a posture is deployed to.

Update the policy definitions in a posture

You might need to update a posture when you enable more Google Cloud services, deploy additional resources, or require additional policies to meet new or changing compliance requirements. If you are updating a deployed posture revision, this task creates a new posture revision. Otherwise, the posture revision that you specify when you run the update command is updated.

  1. Open a YAML file in a text editor. Add the fields you want to update, along with their values. If you are updating policy sets, ensure that your file includes all the policy sets that you want to include in the posture, including the policy sets that already exist. For instructions, see Modify a posture YAML file.

  2. Run the gcloud scc postures update command to update the posture.

    gcloud scc postures update POSTURE_NAME \
    --posture-from-file=POSTURE_FROM_FILE \
    --revision-id=POSTURE_REVISION_ID --update-mask=UPDATE_MASK

    Replace the following values:

    • POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID.

      • LOCATION is global.

      • POSTURE_ID is an alphanumeric name for your posture that is unique to your organization.

    • POSTURE_FROM_FILE is the relative or absolute path to the posture.yaml file that includes your changes.

    • --revision-id=REVISION_ID is the posture revision that you want to deploy. If the posture is currently deployed, the security posture service automatically creates a new version of the posture with a different revision ID and includes the revision ID in the output.

    • --update-mask=UPDATE_MASK is the list of fields that you want to update, in comma-separated format. This argument is optional. You can set UPDATE_MASK to one of the following values:

      • * or unspecified: Apply the changes that you made to the policy sets and posture description.
      • policy_sets: Apply the changes that you made to the policy sets only.
      • description: Apply the changes that you made to the posture description only.
      • policy_sets, description: Apply the changes that you made to the policy sets and posture description.
      • state: Apply the state change only.

    For example, to update a posture with the name posture-example-1 under the organization organizations/3589215982/locations/global and the revision ID set to abcd1234, run the following:

    gcloud scc postures update organizations/3589215982/locations/global/posture-example-1 --posture-from-file=posture.yaml --revision-id=abcd1234 --update-mask=policy_sets

    If the posture update process fails, troubleshoot the error, and try again.

  3. To verify that the posture updated successfully, see View a posture.

Change the state of a posture

The state of a posture determines whether it is available for deployment to a project, folder, or organization.

A posture can have the following states:

  • DRAFT: The posture revision is not ready for deployment. You cannot deploy a posture revision that is in the DRAFT state.

  • ACTIVE: The posture revision is available for deployment. You can change the state from ACTIVE to DRAFT or DEPRECATED.

  • DEPRECATED: A DEPRECATED posture revision cannot be deployed to a resource. You must delete all existing posture deployments of the posture before you can deprecate a posture revision. If you want to redeploy a posture revision that you deprecated, you must change its state to ACTIVE.

To change the state of a posture, run the gcloud scc postures update command. You can't update the posture state at the same time that you update other fields. For instructions about running the gcloud scc postures update command, see Modify a posture YAML file.

Update a posture deployment

Update a posture deployment on a project, folder, or organization to deploy a new posture or deploy a new revision of a posture.

If the posture revision that you're updating includes a custom organization constraint that was deleted using the Google Cloud console, you can't update the posture deployment using the same posture ID. The Organization Policy Service prevents the creation of custom organization constraints that have the same name. Instead, you must create a new version of the posture or use a different posture ID.

Console

  1. In the Google Cloud console, go to the Posture Management page.

    Go to Posture Management

  2. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. In the Postures tab, click the posture that you updated.

  4. In the Posture details page, select the revision of the posture that you updated.

  5. Click Deploy to node.

  6. Select the organization, folder, or project that you want to deploy the posture to. If you see a message that the deployment already exists, delete the deployment before trying again. If your posture includes a detector that's specific to AWS, you must deploy the posture at the organization level (Preview).

  7. Click Select.

gcloud

Run the gcloud scc posture-deployments update command to deploy a posture.

gcloud scc posture-deployments update \
POSTURE_DEPLOYMENT_NAME --description=DESCRIPTION \
--update-mask=UPDATE_MASK --posture-id=POSTURE_ID \
--posture-revision-id=POSTURE_REVISION_ID

Replace the following values:

  • POSTURE_DEPLOYMENT_NAME is the relative resource name for the posture deployment. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postureDeployments/POSTURE_DEPLOYMENT_ID.

    • LOCATION is global.

    • POSTURE_DEPLOYMENT_ID is a unique name for the posture deployment.

  • --description=DESCRIPTION is the optional description for the deployed posture.

  • --posture-id=POSTURE_ID is the name for your posture that is unique to your organization. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_NAME

  • --posture-revision-id=POSTURE_REVISION_ID is the posture revision that you want to deploy. You can obtain it from the response that you receive when you create the posture or view the posture.

  • --update-mask=UPDATE_MASK is the list of fields that you want to update, in comma-separated format. This argument is optional.

For example, to update a posture deployment with the following criteria:

  • Organization: organizations/3589215982/locations/global
  • Posture deployment ID: postureDeploymentexample
  • Posture ID: StagingAIPosture
  • Revision: version2

Run the following command:

gcloud scc posture-deployments update
organizations/3589215982/locations/global/postureDeployments/postureDeploymentexample
--posture-id=organizations/3589215982/locations/global/postures/StagingAIPosture
--posture-revision-id=version2

You can view status information as the command completes. If the posture deployment update process fails, delete the deployment, troubleshoot the error, and try again.

Monitor posture drift

You can monitor a deployed posture for drift from your defined policies within security posture. Drift is a change to a policy that occurs outside of a posture. For example, drift occurs when an administrator changes a policy definition in the console instead of updating the posture deployment.

The security posture service creates findings that you can view in the Google Cloud console or gcloud CLI whenever drift occurs.

Console

If you have created a posture that applies to Vertex AI workloads, you can monitor for drift in two ways: from the Findings page, and from the Overview page. For all other postures, you can monitor for drift from the Findings page.

To monitor for drift from the Findings page:

  1. In the Google Cloud console, go to the Findings page.

    Go to Findings

  2. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. In the Quick filters pane, select the Posture violation finding. You can also enter the following filter in Query preview:

    state="ACTIVE" AND NOT mute="MUTED" AND finding_class="POSTURE_VIOLATION"
    
  4. To view the details for a finding, click the finding.

To monitor for drift from the Overview page (Vertex AI workloads only):

  1. In the Google Cloud console, go to the Overview page.

    Go to Overview

  2. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.

  3. Review the AI Workload Findings pane.

    • The Vulnerabilities tab shows all the vulnerabilities related to any Security Health Analytics custom modules that apply specifically to Vertex AI workloads.
    • The Policy Drift tab shows any drift related to the Vertex AI organization policies that you've applied in a posture.
  4. To view the details for a finding, click the finding.

gcloud

In the gcloud CLI, to view drift findings, run the following:

gcloud scc findings list ORGANIZATION_ID \
--filter="category=\"SECURITY_POSTURE_DRIFT\""

Where ORGANIZATION_ID is the ID of the organization.

For more information about addressing these findings, see Security posture service findings. You can export these findings in the same way that you export any other findings from Security Command Center. For more information, see Integration options and Exporting Security Command Center data.

To inactivate a drift finding, you can update the posture deployment with the same posture ID and posture revision.

Generate a drift finding for testing purposes

After you deploy a posture, you can monitor for drift from your policies. To see drift findings in action in a testing environment, complete the following:

  1. In the console, go to the Organization policy page.

    Go to Organization policy

  2. Edit one of the policies that you defined in the deployed posture. For example, if you use a predefined secure AI posture, you could edit the Restrict public IP access on new Vertex AI Workbench notebooks and instances policy.

  3. After you change the policy, click Set Policy.

  4. Go to the Findings page.

    Go to Findings

  5. In the Quick filters pane, in the Source display name section, select Security Posture. A finding related to your change should appear within five minutes.

  6. To view the details for the finding, click the finding.

Delete a posture deployment

You can delete a posture deployment if it didn't deploy properly, you no longer require a particular posture, or you no longer want a particular posture assigned to a project, folder, or organization. To delete a posture deployment, the posture deployment must be in one of the following states:

  • ACTIVE
  • CREATE_FAILED
  • UPDATE_FAILED
  • DELETE_FAILED

To verify the state of a posture deployment, see View information about a posture deployment.

When you delete a posture deployment, you remove the posture from the resource (your organization, folder, or project) that you assigned it to.

The output for different types of policies are:

  • When you delete a posture deployment that includes custom organization policies, the custom organization policies are deleted. However, the custom constraint continues to exist.

  • When you delete a posture deployment that includes built-in Security Health Analytics detectors, the final state of the Security Health Analytics modules is dependent on the organization, folder, or project on which the deployment existed.

    • If you deployed a posture on a folder or project, built-in Security Health Analytics detectors inherit their state from the parent organization or folder.
    • If you deployed a posture at the organization level, built-in Security Health Analytics detectors revert to the default state. For a description of the default states, see Enable and disable detectors.

Run the gcloud scc posture-deployments delete command to delete a posture deployment.

gcloud scc posture-deployments delete
POSTURE_DEPLOYMENT_NAME

POSTURE_DEPLOYMENT_NAME is the relative resource name for the posture deployment. The format is organizations/ORGANIZATION_ID/locations/LOCATION/postureDeployments/POSTURE_DEPLOYMENT_ID.

  • LOCATION is global.

  • POSTURE_DEPLOYMENT_ID is the unique name for the posture deployment.

For example, to delete a posture deployment that is named organizations/3589215982/locations/global/postureDeployments/posture-deployment-example-1, run the following:

gcloud scc posture-deployments delete \
organizations/3589215982/locations/global/postureDeployments/posture-deployment-example-1

Delete a posture

When you delete a posture, you also delete all revisions. You can't delete a posture that is deployed. You must delete the posture deployment before you can complete this task.

Run the gcloud scc postures delete command to delete a posture.

gcloud scc postures delete POSTURE_NAME

POSTURE_NAME is the relative resource name of the posture. For example, organizations/ORGANIZATION_ID/locations/LOCATION/postures/POSTURE_ID. The posture ID is an alphanumeric name for your posture that is unique to your organization. LOCATION is global.

For example, to delete a posture that is named organizations/3589215982/locations/global/postures/posture-example-1, run the following:

gcloud scc postures delete \
organizations/3589215982/locations/global/postures/posture-example-1

What's next