Security Command Center regional endpoints

This document explains how to work with Security Command Center resources when data residency is enabled. You can only enable data residency for Security Command Center when you activate the Standard or Premium service tier for an organization.

Resources with data residency controls

The following Security Command Center resource types are subject to data residency controls:

To work with these resources programmatically or on the command line, you must use the regional endpoints for the Security Command Center API. To work with these resources in the Google Cloud console, you must use the jurisdictional Google Cloud console.

For all other resource types, use the default API endpoints and the Google Cloud console.

About regional endpoints

Regional endpoints provide access to resources in a specific location. When you use a regional endpoint, your request is routed directly to the endpoint's location. You can't use a regional endpoint to access resources in other locations.

Using a regional endpoint helps you enforce data residency controls for your resources when they're at rest, in use, and in transit.

Security Command Center includes multiple services. For resource types that are subject to data residency controls, the following services require you to use regional endpoints:

Model Armor API
modelarmor.LOCATION.rep.googleapis.com
Security Command Center API
securitycenter.LOCATION.rep.googleapis.com

Replace LOCATION with a supported location for the service.

For all other resource types, you must use the default endpoint.

About the jurisdictional Google Cloud console

The jurisdictional Google Cloud console lets you enable data residency when you activate the Standard or Premium service tier of Security Command Center. It also provides access to resources in a specific location.

Using the jurisdictional Google Cloud console helps you enforce data residency controls for your resources when they're at rest, in use, and in transit.

You can use the jurisdictional Google Cloud console to access only resource types that are subject to data residency controls. To open the console, use the appropriate URL for your location:

European Union
Federated identity users: console.eu.cloud.google
All other users: console.eu.cloud.google.com
Kingdom of Saudi Arabia (KSA)
Federated identity users: console.sa.cloud.google
All other users: console.sa.cloud.google.com
United States
Federated identity users: console.us.cloud.google
All other users: console.us.cloud.google.com

For all other resource types, you must use the standard Google Cloud console.

Locations for regional endpoints

This section lists the locations where regional endpoints are available for the Security Command Center API and related services.

Locations for the Security Command Center API

The Security Command Center API provides regional and multi-region endpoints in the following locations:

European Union
eu
Kingdom of Saudi Arabia (KSA)
me-central2
United States
us

Locations for the Model Armor API

The Model Armor API provides regional endpoints in the following locations:

European Union
europe-west4: Netherlands leaf icon Low CO2
United States
us-central1: Iowa leaf icon Low CO2
us-east1: South Carolina
us-east4: Northern Virginia
us-west1: Oregon leaf icon Low CO2

The Model Armor API provides multi-region endpoints in the following locations:

European Union
eu
United States
us

Tools for regional endpoints

To manage resource types that are subject to data residency controls, you must specify a regional endpoint when you create a client or run a command.

For all other resource types, you must use the default endpoint.

gcloud

The following gcloud CLI command groups require you to use a regional endpoint:

For all other gcloud scc command groups, you must use the default endpoint for the Security Command Center API.

Change the service endpoint

To switch to a regional endpoint, run the following command:

gcloud config set api_endpoint_overrides/SERVICE \
    https://SERVICE.LOCATION.rep.googleapis.com/

To switch to the default endpoint, run the following command:

gcloud config unset api_endpoint_overrides/SERVICE

Replace the following:

  • SERVICE: the service to configure; use modelarmor for the Model Armor API or securitycenter for the Security Command Center API
  • LOCATION: a supported location for the service

Optionally, you can create a named configuration for the gcloud CLI that uses the regional endpoint. Before you run a gcloud CLI command, you can switch to the named configuration by running the gcloud config configurations activate command.

Run a gcloud CLI command

When you run a gcloud CLI command for the Security Command Center API, you must always specify the location. There are a few ways to do this:

  • Use the --location flag.
  • If you provide the full path of the resource name, use a format that specifies a location, like projects/123/sources/456/locations/LOCATION/findings/a1b2c3.

The following example shows how to use the --location flag.

The gcloud scc findings list command lists an organization's findings in a specific location.

Before using any of the command data below, make the following replacements:

  • ORGANIZATION_ID: the numeric ID of the organization
  • LOCATION: a supported location for the Security Command Center API

Execute the gcloud scc findings list command:

Linux, macOS, or Cloud Shell

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

Windows (PowerShell)

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

Windows (cmd.exe)

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

The response contains a list of findings.

Terraform

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands. For more information, see the Terraform provider reference documentation.

provider "google" {
  alias                              = "securitycenter_v2_endpoint_us"
  security_center_v2_custom_endpoint = "https://securitycenter.us.rep.googleapis.com/v2/"
}

Go

Use one of the following regional endpoints:

Model Armor API
modelarmor.LOCATION.rep.googleapis.com:443
Security Command Center API
securitycenter.LOCATION.rep.googleapis.com:443

Replace LOCATION with a supported location for the service.

The following code sample shows how to create a Security Command Center API client that uses a regional endpoint.

import (
	"context"
	"fmt"

	securitycenter "cloud.google.com/go/securitycenter/apiv2"
	"google.golang.org/api/option"
)

// createClientWithEndpoint creates a Security Command Center client for a
// regional endpoint.
func createClientWithEndpoint(repLocation string) error {
	// Assemble the regional endpoint URL using provided location.
	repEndpoint := fmt.Sprintf("securitycenter.%s.rep.googleapis.com:443", repLocation)
	// Instantiate client for regional endpoint. Use this client to access resources that
	// are subject to data residency controls, and that are located in the region
	// specified in repLocation.
	repCtx := context.Background()
	repClient, err := securitycenter.NewClient(repCtx, option.WithEndpoint(repEndpoint))
	if err != nil {
		return err
	}
	defer repClient.Close()

	return nil
}

Java

Use one of the following regional endpoints:

Model Armor API
modelarmor.LOCATION.rep.googleapis.com:443
Security Command Center API
securitycenter.LOCATION.rep.googleapis.com:443

Replace LOCATION with a supported location for the service.

The following code sample shows how to create a Security Command Center API client that uses a regional endpoint.


import com.google.cloud.securitycenter.v2.SecurityCenterClient;
import com.google.cloud.securitycenter.v2.SecurityCenterSettings;
import java.io.IOException;

public class CreateClientWithEndpoint {

  public static void main(String[] args) throws IOException {
    // TODO: Replace the value with the endpoint for the region in which your
    // Security Command Center data resides.
    String regionalEndpoint = "securitycenter.me-central2.rep.googleapis.com:443";
    SecurityCenterClient client = createClientWithEndpoint(regionalEndpoint);
    System.out.println("Client initiated with endpoint: " + client.getSettings().getEndpoint());
  }

  // Creates Security Command Center client for a regional endpoint.
  public static SecurityCenterClient createClientWithEndpoint(String regionalEndpoint)
      throws java.io.IOException {
    SecurityCenterSettings regionalSettings =
        SecurityCenterSettings.newBuilder().setEndpoint(regionalEndpoint).build();
    return SecurityCenterClient.create(regionalSettings);
  }
}

Python

Use one of the following regional endpoints:

Model Armor API
modelarmor.LOCATION.rep.googleapis.com
Security Command Center API
securitycenter.LOCATION.rep.googleapis.com

Replace LOCATION with a supported location for the service.

The following code sample shows how to create a Security Command Center API client that uses a regional endpoint.

from google.cloud import securitycenter_v2


def create_client_with_endpoint(api_endpoint) -> securitycenter_v2.SecurityCenterClient:
    """
    Creates a Security Command Center client for a regional endpoint.
    Args:
        api_endpoint: the regional endpoint's hostname, like 'securitycenter.REGION.rep.googleapis.com'
    Returns:
        securitycenter_v2.SecurityCenterClient: returns a client for the regional endpoint
    """
    regional_client = securitycenter_v2.SecurityCenterClient(
        client_options={"api_endpoint": api_endpoint}
    )
    print(
        "Regional client initiated with endpoint: {}".format(
            regional_client.api_endpoint
        )
    )
    return regional_client

REST

To access the following REST API resource types, you must use a regional service endpoint:

Model Armor API

Endpoint: https://modelarmor.LOCATION.rep.googleapis.com

Replace LOCATION with a supported location for the service.

Resource types: All resource types

Security Command Center API

Endpoint: https://securitycenter.LOCATION.rep.googleapis.com

Replace LOCATION with a supported location for the service.

Resource types:

Replace LOCATION with a supported location for the service.

For all other resource types, you must use the default endpoint.