Enable public bucket remediation

This document provides a step-by-step guide to enable the public bucket remediation for the posture findings playbooks in the Enterprise tier of Security Command Center.

Overview

Security Command Center supports additional remediation for the vulnerabilities in the following playbooks:

  • Posture Findings – Generic
  • Posture Findings With Jira
  • Posture Findings With ServiceNow

These posture findings playbooks include a block that remediates the OPEN PORT, PUBLIC IP ADDRESS, and PUBLIC BUCKET ACL findings. For more information about these finding types, see Vulnerability findings.

Playbooks are preconfigured to process the OPEN PORT and PUBLIC IP ADDRESS findings. Remediating the PUBLIC_BUCKET_ACL findings requires that you enable the public bucket remediation for playbooks.

Enable public bucket remediation for playbooks

After the Security Health Analytics (SHA) detector identifies the Cloud Storage buckets that are publicly accessible and generates the PUBLIC_BUCKET_ACL findings, Security Command Center Enterprise ingests the findings and attaches playbooks to them. To enable the public bucket remediation for posture findings playbooks, you need to create a custom IAM role, configure a specific permission for it, and grant the custom role that you've created to an existing principal.

Before you begin

A configured and running instance of the Cloud Storage integration is required to remediate the public bucket access. To validate the integration configuration, see Update the Enterprise use case.

Create a custom IAM role

To create a custom IAM role and configure a specific permission for it, complete the following steps:

  1. In the Google Cloud console, go to the IAM Roles page.

    Go to IAM Roles

  2. Click Create role to create a custom role with permissions required for the integration.

  3. For a new custom role, provide the Title, Description, and a unique ID.

  4. Set the Role Launch Stage to General Availability.

  5. Add the following permission to the created role:

    resourcemanager.organizations.setIamPolicy

  6. Click Create.

Grant a custom role to an existing principal

After you grant your new custom role to a selected principal, they can change permissions for any user in your organization.

To grant the custom role to an existing principal, complete the following steps:

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. In the Filter field, paste the Workload Identity Email value that you use for the Cloud Storage integration and search for the existing principal.

  3. Click Edit principal. The Edit access to "PROJECT" dialog opens.

  4. Under Assign roles, click Add another role.

  5. Select the custom role that you've created and click Save.