Update AWS connection settings

After you connect Security Command Center to Amazon Web Services (AWS) for configuration and resource data collection, you can modify the connection settings.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Set up permissions in Google Cloud

To get the permissions that you need to use the AWS connector, ask your administrator to grant you the Cloud Asset Owner (roles/cloudasset.owner) IAM role. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create AWS accounts

Ensure that you have the following AWS resources:

Modify the AWS connection

Modify an existing AWS connection when your AWS environment configuration changes. For example, you want to monitor different AWS regions, or change the list of AWS accounts that Security Command Center uses. You can't modify the names of the delegated role and the collector role. If you need to change these role names, you must delete your AWS connector and set up a new connection.

  1. In the Google Cloud console, go to the Security Command Center page.

    Go to Security Command Center

  2. Select the organization that you activated Security Command Center Enterprise on.

  3. Click Settings.

  4. Click the Connectors tab.

  5. Click Edit beside the connection that you want to update.

  6. In the Edit Amazon Web Services connector page, make your changes. The following table describes the options.

    Option Description
    Add AWS connector accounts Select the Add accounts automatically (recommended) field, to let Security Command Center discover the AWS accounts automatically, or select Add accounts individually and provide a list of AWS accounts that Security Command Center can use to find resources.
    Exclude AWS connector accounts If you selected the Add accounts individually field under the Add AWS connector accounts section, provide a list of AWS accounts that Security Command Center should not use to find resources.
    Select regions to collect data Select one or more AWS regions for Security Command Center to collect data from. Leave the AWS regions field empty to collect data from all regions.
    Maximum queries per second (QPS) for AWS services You can change the QPS to control the quota limit for Security Command Center. Set the override to a value that is less than the default value for that service, and greater than or equal to 1. The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues fetching data. Therefore, we don't recommend changing this value.
    Endpoint for AWS Security Token Service You can specify a specific endpoint for the AWS Security Token Service (for example, https://sts.us-east-2.amazonaws.com). Leave the AWS Security Token Service field empty to use the default global endpoint (https://sts.amazonaws.com).
  7. If you changed the delegated account ID or the list of AWS accounts to include or exclude, you must update your AWS environment. A change to the delegated account ID requires that you set up your AWS configuration again. A change to the list of AWS accounts requires that you add or remove collector roles. Removing AWS accounts from the exclude list, because you want to include them, requires you to add the collector roles to those accounts. Complete the following:

    1. Click Continue.
    2. In the Create connection with AWS page, complete one of the following:

  8. If you added an AWS account to the list of AWS accounts to exclude, we recommend that you remove the collector role from the account.

  9. Click Test connector to verify that Security Command Center can connect to your AWS environment. If the connection is successful, the Google Cloud service agent can assume the delegated role and the delegated role has all the required permissions to assume the collector role. If the connection isn't successful, see Troubleshooting errors when testing the connection.

  10. Click Save.

What's next