This document explains how to work with Security Command Center resources when data residency is enabled. You can only enable data residency for Security Command Center when you activate the Standard or Premium service tier for an organization.
Resources with data residency controls
The following Security Command Center resource types are subject to data residency controls:
- All Model Armor resources
- BigQuery export configurations
- Continuous export configurations
- Findings
- Mute rule configurations
To work with these resources programmatically or on the command line, you must use the regional endpoints for the Security Command Center API. To work with these resources in the Google Cloud console, you must use the jurisdictional Google Cloud console.
For all other resource types, use the default API endpoints and the Google Cloud console.
About regional endpoints
Regional endpoints provide access to resources in a specific location. When you use a regional endpoint, your request is routed directly to the endpoint's location. You can't use a regional endpoint to access resources in other locations.
Using a regional endpoint helps you enforce data residency controls for your resources when they're at rest, in use, and in transit.
Security Command Center includes multiple services. For resource types that are subject to data residency controls, the following services require you to use regional endpoints:
- Model Armor API
modelarmor.LOCATION.rep.googleapis.com
- Security Command Center API
securitycenter.LOCATION.rep.googleapis.com
Replace LOCATION
with a
supported location for the service.
For all other resource types, you must use the default endpoint.
About the jurisdictional Google Cloud console
The jurisdictional Google Cloud console lets you enable data residency when you activate the Standard or Premium service tier of Security Command Center. It also provides access to resources in a specific location.
Using the jurisdictional Google Cloud console helps you enforce data residency controls for your resources when they're at rest, in use, and in transit.
You can use the jurisdictional Google Cloud console to access only resource types that are subject to data residency controls. To open the console, use the appropriate URL for your location:
- European Union
- Federated identity users:
console.eu.cloud.google
- All other users:
console.eu.cloud.google.com
- Kingdom of Saudi Arabia (KSA)
- Federated identity users:
console.sa.cloud.google
- All other users:
console.sa.cloud.google.com
- United States
- Federated identity users:
console.us.cloud.google
- All other users:
console.us.cloud.google.com
For all other resource types, you must use the standard Google Cloud console.
Locations for regional endpoints
This section lists the locations where regional endpoints are available for the Security Command Center API and related services.
Locations for the Security Command Center API
The Security Command Center API provides regional and multi-region endpoints in the following locations:
- European Union
eu
- Kingdom of Saudi Arabia (KSA)
me-central2
- United States
us
Locations for the Model Armor API
The Model Armor API provides regional endpoints in the following locations:
- European Union
europe-west4
: NetherlandsLow CO2
- United States
us-central1
: IowaLow CO2
us-east1
: South Carolinaus-east4
: Northern Virginiaus-west1
: OregonLow CO2
The Model Armor API provides multi-region endpoints in the following locations:
- European Union
eu
- United States
us
Tools for regional endpoints
To manage resource types that are subject to data residency controls, you must specify a regional endpoint when you create a client or run a command.
For all other resource types, you must use the default endpoint.
gcloud
The following gcloud CLI command groups require you to use a regional endpoint:
gcloud model-armor
: manages Model Armor resourcesgcloud scc bqexports
: manages BigQuery export configurationsgcloud scc findings
: manages findingsgcloud scc muteconfigs
: manages mute rule configurationsgcloud scc notifications
: manages continuous export configurations
For all other gcloud scc
command groups, you must use the default endpoint for
the Security Command Center API.
Change the service endpoint
To switch to a regional endpoint, run the following command:
gcloud config set api_endpoint_overrides/SERVICE \ https://SERVICE.LOCATION.rep.googleapis.com/
To switch to the default endpoint, run the following command:
gcloud config unset api_endpoint_overrides/SERVICE
Replace the following:
SERVICE
: the service to configure; usemodelarmor
for the Model Armor API orsecuritycenter
for the Security Command Center APILOCATION
: a supported location for the service
Optionally, you can create a
named configuration for the
gcloud CLI that uses the regional endpoint. Before you run a
gcloud CLI command, you can switch to the named configuration by
running the
gcloud config configurations activate
command.
Run a gcloud CLI command
When you run a gcloud CLI command for the Security Command Center API, you must always specify the location. There are a few ways to do this:
- Use the
--location
flag. - If you provide the full path of the resource name, use a format that specifies
a location, like
projects/123/sources/456/locations/LOCATION/findings/a1b2c3
.
The following example shows how to use the --location
flag.
The
gcloud scc findings list
command lists an organization's findings in a specific location.
Before using any of the command data below, make the following replacements:
-
ORGANIZATION_ID
: the numeric ID of the organization -
LOCATION
: a supported location for the Security Command Center API
Execute the
gcloud scc findings list
command:
Linux, macOS, or Cloud Shell
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
Windows (PowerShell)
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
Windows (cmd.exe)
gcloud scc findings list ORGANIZATION_ID --location=LOCATION
The response contains a list of findings.
To learn how to apply or remove a Terraform configuration, see
Basic Terraform commands.
For more information, see the
Terraform provider reference documentation.
Terraform
Use one of the following regional endpoints: Replace The following code sample shows how to create a Security Command Center API client that
uses a regional endpoint.Go
modelarmor.LOCATION.rep.googleapis.com:443
securitycenter.LOCATION.rep.googleapis.com:443
LOCATION
with a supported location
for the service.
Use one of the following regional endpoints: Replace The following code sample shows how to create a Security Command Center API client that
uses a regional endpoint.Java
modelarmor.LOCATION.rep.googleapis.com:443
securitycenter.LOCATION.rep.googleapis.com:443
LOCATION
with a supported location
for the service.
Use one of the following regional endpoints: Replace The following code sample shows how to create a Security Command Center API client that
uses a regional endpoint.Python
modelarmor.LOCATION.rep.googleapis.com
securitycenter.LOCATION.rep.googleapis.com
LOCATION
with a supported location
for the service.
To access the following REST API resource types, you must use a regional service
endpoint: Endpoint:
Replace Resource types: All resource types Endpoint:
Replace Resource types: Replace For all other resource types, you must use the default endpoint.REST
https://modelarmor.LOCATION.rep.googleapis.com
LOCATION
with a supported location
for the service.https://securitycenter.LOCATION.rep.googleapis.com
LOCATION
with a supported location
for the service.
folders.locations.bigQueryExports
folders.locations.findings
folders.locations.muteConfigs
folders.locations.notificationConfigs
organizations.locations.bigQueryExports
organizations.locations.findings
organizations.locations.muteConfigs
organizations.locations.notificationConfigs
projects.locations.bigQueryExports
projects.locations.findings
projects.locations.muteConfigs
projects.locations.notificationConfigs
LOCATION
with a supported location
for the service.