This page describes how you can configure and use the security posture service after you activate Security Command Center. To start, you must create a posture that includes your policies, organized in policy sets, and then deploy the posture using a posture deployment. After a posture is deployed, you can monitor for drift and further refine your posture over time.
Before you begin
Complete these tasks before you complete the remaining tasks on this page.
Activate the Security Command Center Premium or Enterprise tier
Verify that the Security Command Center Premium tier or Enterprise tier is activated at the organization level.
If you want to use Security Health Analytics detectors as policies, select the Security Health Analytics service during the activation process.
Set up permissions
To get the permissions that you need to use posture,
ask your administrator to grant you the
Security Posture Admin (roles/securityposture.admin
) IAM role.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
For more information about security posture roles and security posture permissions, see IAM for organization-level activations.
Set up Google Cloud CLI
You must use Google Cloud CLI version 461.0.0 or later.
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To set up the gcloud CLI to use service account impersonation to authenticate to Google APIs, rather than your user credentials, run the following command:
gcloud config set auth/impersonate_service_account SERVICE_ACCT_EMAIL
For more information, see Service account impersonation.
Enable APIs
Enable the Organization Policy Service and the security posture service APIs:
gcloud services enable orgpolicy.googleapis.com securityposture.googleapis.com
Configure connection to AWS
To use built-in Security Health Analytics detectors that are specific to AWS, you must activate Security Command Center Enterprise and connect to AWS for vulnerability detection.
Create and deploy a posture
To start using a security posture, you must complete the following:
- Create a posture YAML file that defines the policies that apply to your security posture.
- Create a posture in Google Cloud that is based on the posture YAML file.
- Deploy the posture.
The following sections provide detailed instructions.
Create a posture YAML file
A posture consists of one or more policy sets that you deploy together. These policy sets include all the preventative and detective policies that you want to include in your posture.
To create your posture, do one of the following:
- Copy a predefined posture template. If required, make any edits to the policies so that they apply to your environment and comply with your business's regulatory and security standards. For instructions, see Create a posture file from a predefined posture template.
- Extract existing policies from your environment. If required, make any edits to the policies so that they comply with your business's regulatory and security standards. For instructions, see Create a posture file by extracting policies from an existing environment.
- Create a Terraform resource that defines the posture. For instructions, see Create a Terraform resource with policy definitions.
For details about the fields that you can use in a posture, see the
Posture
reference
and the
PolicySet
reference.
Create a posture file from a predefined posture template
You can use a predefined posture template to create a posture file.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
In the Templates tab, click the template that you want to use.
In the Template details page, click Create Posture.
Provide a unique name for the posture and click Create. The Posture details page opens.
Complete one of the following actions:
- If you can use the posture without making any changes (for example, you
used one of the
_essentials
templates), you can deploy the posture. For instructions, see Deploy a posture. - If you need to modify any of the policy sets or policies (for example,
you used one of the _enhanced templates), complete
Modify a posture YAML file and
set the posture state to
ACTIVE
.
- If you can use the posture without making any changes (for example, you
used one of the
gcloud
- Review the predefined posture templates to determine which ones apply to your environment. You can apply some of them without making any changes, but others require you to customize the policies to match your environment.
Use one of the following methods to copy the YAML files into your own text editor:
- Copy the YAML file from the reference content in predefined posture templates.
- Run the
gcloud scc posture-templates describe
command to copy the YAML file.
gcloud scc posture-templates describe \ organizations/ORGANIZATION_ID/locations/LOCATION/postureTemplates/POSTURE_TEMPLATE \ --revision-id=REVISION_ID
gcloud scc posture-templates describe \ organizations/ORGANIZATION_ID/locations/global/postureTemplates/POSTURE_TEMPLATE \ --revision-id=REVISION_ID
Replace the following values:
ORGANIZATION_ID
is the organization where you activated the Security Command Center Premium or Enterprise tier.LOCATION
is the location where you want to deploy and store the posture. The only supported location isglobal
.POSTURE_TEMPLATE
is the template name of the predefined posture, as described in Predefined posture templates.REVISION_ID
is the revision version for the predefined posture. If you don't include the revision ID, the latest version of the predefined posture is displayed.
For example, to view the secure AI, essentials predefined posture under the
3589215982
organization, run the following:gcloud scc posture-templates describe \ organizations/3589215982/locations/global/postureTemplates/secure_ai_essential \ --revision-id=v.1.0
Complete one of the following actions:
- If you can use the posture without making any changes (for example, you
used one of the
_essentials
templates), you can create the posture. For instructions, see Create a posture. - If you need to modify any of the policy sets or policies, complete Modify a posture YAML file.
- If you can use the posture without making any changes (for example, you
used one of the
Create a posture file by extracting policies from an existing environment
You can extract the policies (organization policies, including custom policies and all Security Health Analytics detectors, including custom detectors) that you configured in an existing project, folder, or organization to create a posture file. You can't extract policies from an organization, folder, or project that already has a posture applied to it.
This command only extracts the policies that you previously configured for the organization, folder, or project and doesn't extract policies from parent folders or organization.
If you connected Security Command Center Enterprise to AWS, this command also extracts the detectors that are specific to AWS (Preview).
Run the
gcloud scc postures extract
command to extract the existing organization policies and Security Health Analytics detectors in your environment.gcloud scc postures extract POSTURE_NAME \ --workload=WORKLOAD
Replace the following values:
POSTURE_NAME
is the relative resource name of the posture. For example,organizations/ORGANIZATION_ID/locations/global/postures/POSTURE_ID
.POSTURE_ID
is an alphanumeric name for your posture that is unique to your organization.POSTURE_ID
is limited to 63 characters.
WORKLOAD
is the project, folder, or organization that you are extracting the policies from. The workload is one of the following:projects/PROJECT_NUMBER
folder/FOLDER_ID
organizations/ORGANIZATION_ID
For example, to extract policies from the
3589215982
folder under the6589215984
organization, run the following:gcloud scc postures extract \ organizations/6589215984/locations/global/postures/myStagingPosture \ workload=folder/3589215982 > posture.yaml
Open the resulting
posture.yaml
file for editing.Complete one of the following actions:
- If you can use the posture without making any changes (for example, you
used one of the
_essentials
templates), you can create the posture. For instructions, see Create a posture. - If you need to modify any of the policy sets or policies, complete Modify a posture YAML file.
- If you can use the posture without making any changes (for example, you
used one of the
Create a Terraform resource with policy definitions
You can create a Terraform configuration to create a posture resource.
For example, you can create a posture resource that includes built-in and custom organization policy constraints and built-in and custom Security Health Analytics detectors. Posture management support for built-in Security Health Analytics detectors that are specific to AWS is in Preview.
resource "google_securityposture_posture" "posture_example" {
posture_id = "<POSTURE_ID>"
parent = "organizations/<ORGANIZATION_ID>"
location = "global"
state = "ACTIVE"
description = "a new posture"
policy_sets {
policy_set_id = "org_policy_set"
description = "set of org policies"
policies {
policy_id = "canned_org_policy"
constraint {
org_policy_constraint {
canned_constraint_id = "storage.uniformBucketLevelAccess"
policy_rules {
enforce = true
}
}
}
}
policies {
policy_id = "canned_org_policy_for_service"
constraint {
org_policy_constraint {
canned_constraint_id = "run.allowedVPCEgress"
policy_rules {
allow_all: true
condition {
expression: "!(parameters.denyAll or resource.location in parameters.deniedLocations) && (parameters.allowAll or resource.location in parameters.allowedLocations)"
}
parameters {
fields {
key: "denyAll"
value {
bool_value: false
}
}
fields {
key: "allowAll"
value {
bool_value: false
}
}
fields {
key: "deniedLocations"
value {
null_value: NULL_VALUE
}
}
fields {
key: "allowedLocations"
value {
string_value: "allowedLocations.all(location, location in [\342\200\230US\342\200\231, \342\200\230EU\342\200\231])"
}
}
}
resource_types {
included: "run.googleapis.com/Service"
}
}
}
}
}
}
policy_sets {
policy_set_id = "sha_policy_set"
description = "set of sha policies"
policies {
policy_id = "sha_builtin_module"
constraint {
security_health_analytics_module {
module_name = "BIGQUERY_TABLE_CMEK_DISABLED"
module_enablement_state = "ENABLED"
}
}
description = "enable BIGQUERY_TABLE_CMEK_DISABLED"
}
policies {
policy_id = "aws_sha_builtin_module"
constraint {
security_health_analytics_module {
module_name = "S3_BUCKET_LOGGING_ENABLED"
module_enablement_state = "ENABLED"
}
}
description = "enable S3_BUCKET_LOGGING_ENABLED"
}
policies {
policy_id = "sha_custom_module"
constraint {
security_health_analytics_custom_module {
display_name = "custom_SHA_policy"
config {
predicate {
expression = "resource.rotationPeriod > duration('2592000s')"
}
custom_output {
properties {
name = "duration"
value_expression {
expression = "resource.rotationPeriod"
}
}
}
resource_selector {
resource_types = ["cloudkms.googleapis.com/CryptoKey"]
}
severity = "LOW"
description = "Custom Module"
recommendation = "Testing custom modules"
}
module_enablement_state = "ENABLED"
}
}
}
}
}
For more information, see google_securityposture_posture.
Modify a posture YAML file
Complete the following steps to modify a posture YAML file:
- Open your posture YAML file in a text editor.
Verify the
name
,description
, andstate
at the beginning of the file.Verify the
name
,description
, andstate
at the beginning of the file.name: organizations/ORGANIZATION_ID/locations/global/posture/POSTURE_ID description: DESCRIPTION state: STATE
For details about these fields, see the
Posture
reference.For example:
name: organizations/3589215982/locations/global/posture/stagingAIPosture description: This posture applies to staging environments for Vertex AI. state: ACTIVE
Customize the policies within the file to meet your requirements.
For details about the fields that you can use, see the
PolicySet
reference.Review the existing policies and their values. For policies that require information that is specific to your environment, set the values appropriately. For example, for the
ainotebooks.accessMode
policy in the secure AI, extended predefined posture, add the allowed modes of access underpolicy_rules
:- policy_id: Define access mode for Vertex AI Workbench notebooks and instances compliance_standards: - standard: NIST SP 800-53 control: AC-3(3) - standard: NIST SP 800-53 control: AC-6(1) constraint: org_policy_constraint: canned_constraint_id: ainotebooks.accessMode policy_rules: - values: allowed_values: service-account description: This list constraint defines the modes of access allowed to Vertex AI Workbench notebooks and instances where enforced. The allow or deny list can specify multiple users with the service-account mode or single-user access with the single-user mode. The access mode to be allowed or denied must be listed explicitly.
Add additional organization policy constraints, as documented in Organization policy constraints. If you are defining a custom organization policy, ensure that the YAML file includes the custom constraint definition. You can't use a custom constraint that you created using other methods (for example, using the Google Cloud console).
For example, you might want to set the
compute.trustedImageProjects
constraint to define projects can be used for image storage and disk instantiation. If you copy this example, ensure that you replaceallowed_values
with suitable list of projects:- policy_id: Define projects with trusted images. compliance_standards: - standard: control: constraint: org_policy_constraint: canned_constraint_id: compute.trustedImageProjects policy_rules: - values: allowed_values: - project1 - project2 - projectN description: This is a complete list of projects from which images can be used.
Add additional Security Health Analytics detectors, such as those documented in Security Health Analytics findings. For example, add a Security Health Analytics detector to create a finding if a project is not using an API key for authentication:
- policy_id: API Key Exists constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: API_KEY_EXISTS
As another example, add a Security Health Analytics custom module to detect whether Vertex AI datasets are encrypted:
- policy_id: CMEK key is use for Vertex AI DataSet compliance_standards: - standard: NIST SP 800-53 control: SC-12 - standard: NIST SP 800-53 control: SC-13 constraint: security_health_analytics_custom_module: display_name: "vertexAIDatasetCMEKDisabled" config: customOutput: {} predicate: expression: "!has(resource.encryptionSpec)" resource_selector: resource_types: - aiplatform.googleapis.com/Dataset severity: CRITICAL description: "When enforced, this detector finds whether a dataset is not encrypted using CMEK." recommendation: "Restore the SHA module. See https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview." module_enablement_state: ENABLED
As another example, for Security Command Center Enterprise, add a Security Health Analytics detector that's specific to AWS (Preview):
- policy_set_id: AWS policy set description: Policy set containing AWS built-in SHA modules for securing S3 buckets. policies: - policy_id: S3 bucket replication enabled compliance_standards: - standard: NIST 800-53 R5 control: SI-13(5) constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: S3_BUCKET_REPLICATION_ENABLED description: This control checks whether an Amazon S3 bucket has Cross-Region Replication enabled. The control fails if the bucket does not have Cross-Region Replication enabled or if Same-Region Replication is also enabled. - policy_id: S3 bucket logging enabled compliance_standards: - standard: NIST 800-53 R5 control: SI-7(8) - standard: PCI DSS 3.2.1 control: 10.3.1 constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: S3_BUCKET_LOGGING_ENABLED description: AWS S3 Server Access Logging feature records access requests to storage buckets which is useful for security audits. By default, server access logging is not enabled for S3 buckets.
If you add a detector that's specific to AWS, you must deploy the posture at the organization level.
Upload your posture file to a version-controlled source repository so that you can track the changes that you make to it over time.
Create a posture
Complete this task to create a posture resource in Security Command Center that you can deploy. If you created a posture from a predefined posture template using the Google Cloud console, the posture resource is created automatically for you.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
Click Create Posture. You can create a posture by starting with an existing posture or template, or by using the policies applied to a resource.
Create a posture using an existing posture or template
- Select Start with an existing posture or template (browse postures).
- Specify posture details such as posture name and description.
- Click Select Posture. You can create a posture based on an
existing posture or a template.
- Select Posture to create a posture using an existing posture. Select a posture from the list of postures displayed and then select one or more revisions from the list of available revisions for the selected posture.
- Select Template to create a posture using a template and then select one or more templates from the list of templates displayed.
- Click Save. Under the Policy Sets section, you can view the list of policy sets associated with the selected posture.
- Select the policies from the list of policy sets. You can also edit the policy and move the policy to a different policy set on this page. You cannot create a posture with two policies with the same name within the same policy set.
- Click Create.
Create a posture using the policies applied on a resource
- Select Start with a posture applied to a resource (browse resources).
- Specify posture details such as posture name and description.
- Click Select resources.
- Select a resource from the list of resources displayed and click Create.
You are redirected to the Posture details page showing information about the posture that you have created. You can see the policy sets associated with that posture.
gcloud
Run the
gcloud scc postures create
command to create a posture using theposture.yaml
file.gcloud scc postures create POSTURE_NAME \ --posture-from-file=POSTURE_FROM_FILE
Replace the following values:
POSTURE_NAME
is the relative resource name of the posture. For example,organizations/ORGANIZATION_ID/locations/global/postures/POSTURE_ID
.POSTURE_ID
is an alphanumeric name for your posture that is unique to your organization.POSTURE_ID
is limited to 63 characters.
For example, to create a posture with the ID
posture-example-1
under the organizationorganizations/3589215982
, run the following:gcloud scc postures create \ organizations/3589215982/locations/global/postures/posture-example-1 \ --posture-from-file=posture.yaml
If the posture creation process fails, delete the posture, troubleshoot the error, and try again.
To verify that the posture created successfully, see View a posture.
To apply this posture to your environment, you must deploy the posture.
Terraform
If you created a Terraform configuration for the posture resource, you must provision it using your infrastructure-as-code pipeline.
For more information, see Terraform on Google Cloud.
Deploy a posture
After you create a posture, you deploy it to a project, folder, or organization so that you can apply the policies and their definitions to specific resources in your organization and monitor for drift. You can only deploy one posture to a project, folder, or organization.
Verify that your posture state is ACTIVE
.
When you deploy the posture, the following actions occur:
- The definitions for organization policies and Security Health Analytics detectors are applied.
- The custom constraint for custom organization policies is created with constraint ID to include the posture revision ID as a suffix to the constraint ID that you defined in the posture.
The default state for the custom modules is set to Enabled.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture that you want to deploy.
On the Posture details page, select the revision of the posture. The posture revision you select must be in the active state.
Click Apply to resources.
Click Select to select the organization, folder, or project that you want to deploy the posture to.
Click Apply posture.
gcloud
Run the gcloud scc posture-deployments create
command to deploy a posture to
a project, folder, or organization.
gcloud scc posture-deployments create POSTURE_DEPLOYMENT_NAME \
--posture-name=POSTURE_NAME \
--posture-revision-id=POSTURE_REVISION_ID \
--target-resource=TARGET_RESOURCE
Replace the following values:
POSTURE_DEPLOYMENT_NAME
is the relative resource name for the posture deployment. The format isorganizations/ORGANIZATION_ID/locations/global/postureDeployments/POSTURE_DEPLOYMENT_ID
.LOCATION
isglobal
.POSTURE_ID
is an alphanumeric name for your posture that is unique to your organization.--posture-name=POSTURE_NAME
is the name for the posture that you're deploying. The format isorganizations/ORGANIZATION_ID/locations/global/postures/POSTURE_ID
.
If your posture includes a detector that's specific to AWS, you must deploy the posture at the organization level (Preview).
For example, to deploy a posture, run the following command:
gcloud scc posture-deployments create \
organizations/3589215982/locations/global/postureDeployments/postureDeployment123 \
--posture-name=organizations/3589215982/locations/global/postures/StagingAIPosture \
--posture-revision-id=version1 \
--target-resource=projects/4589215982
You can view status information as the command completes. If the posture deployment creation process fails, delete the deployment, troubleshoot the error, and try again.
Terraform
You can create a Terraform resource to deploy a posture.
resource "google_securityposture_posture_deployment" "posture_deployment_example" {
posture_deployment_id = "<POSTURE_DEPLOYMENT_ID>"
parent = "organizations/<ORGANIZATION_ID>"
location = "global"
description = "a new posture deployment"
target_resource = "<TARGET_RESOURCE>"
posture_id = "<POSTURE_NAME>"
posture_revision_id = "<POSTURE_REVISION_ID>"
}
For more information, see google_securityposture_posture_deployment.
After you create the Terraform resource, provision it using your infrastructure-as-code pipeline.
View posture and posture deployment information
You can view posture and posture deployment information to see information such as the following:
- What postures are deployed and where in the resource hierarchy (organizations, projects, and folders) they are applied
- The revisions and state of postures
- The operational details of a posture deployment
View a posture
You can view information about a posture (such as its state and policy definitions).
Console
In the Google Cloud console, go to the Posture Management page.
Select the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture that you want to view. The posture details appear.
gcloud
Run the gcloud scc postures describe
command to see a posture that you
created.
gcloud scc postures describe POSTURE_NAME \
--revision-id=REVISION_ID
Replace the following values:
POSTURE_NAME
is the relative resource name of the posture. For example,organizations/ORGANIZATION_ID/locations/global/postures/POSTURE_ID
.LOCATION
isglobal
.POSTURE_ID
is an alphanumeric name for your posture that is unique to your organization.revision-id=REVISION_ID
is an optional flag that specifies which version of the posture to view. If you don't include the flag, the latest version is returned.
For example, to view a posture with the name
organizations/3589215982/locations/global/postures/posture-example-1
and the revision ID abcdefgh
, run the following:
gcloud scc postures describe \
organizations/3589215982/locations/global/postures/posture-example-1 \
--revision-id=abcdefgh
View information about a posture deployment operation
Run the gcloud scc posture-operations describe
command to view the operation
details for a posture deployment operation.
gcloud scc posture-operations describe OPERATION_NAME
Where OPERATION_NAME
is the relative resource name for
the operation. The format is
organizations/ORGANIZATION_ID/locations/global/operations/OPERATION_ID
.
You can obtain the OPERATION_ID
by using the --async
argument
when you run the posture command.
For example, to view a scan operation with the name
organizations/3589215982/locations/global/operations/operation-1694515698847-605272e4bcd7c-f93dade6-067467ae
,
run the following:
gcloud scc posture-operations describe \
organizations/3589215982/locations/global/operations/operation-1694515698847-605272e4bcd7c-f93dade6-067467ae
View information about a posture deployment
You can view where a posture is deployed to, as well as the deployment state.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture that you deployed.
Go to the Resources tab to view the projects, folders, and organization that the posture is deployed to, as well as the deployment state.
gcloud
Run the gcloud scc posture-deployments describe
command to view
information about a deployed posture.
gcloud scc posture-deployments describe POSTURE_DEPLOYMENT_NAME
Where POSTURE_DEPLOYMENT_NAME
is the relative resource name for the
posture deployment. The format is
organizations/ORGANIZATION_ID/locations/global/postureDeployments/POSTURE_DEPLOYMENT_ID
.
LOCATION
isglobal
.POSTURE_DEPLOYMENT_ID
is a unique name for the posture deployment.
For example, to view the details for a posture deployment that is named
organizations/3589215982/locations/global/postureDeployments/Posture-deployment-example-1
,
run the following:
gcloud scc posture-deployments describe \
organizations/3589215982/locations/global/postureDeployments/Posture-deployment-example-1
Update a posture and posture deployment
You can update the following:
- The state of the posture.
- The policy definitions in a posture.
- The organization, folders, or projects that a posture is deployed to.
Update the policy definitions in a posture
You might need to update a posture when you enable more Google Cloud services, deploy additional resources, or require additional policies to meet new or changing compliance requirements. If you are updating a deployed posture revision, this task creates a new posture revision. Otherwise, the posture revision that you specify when you run the update command is updated.
- Open a YAML file in a text editor. Add the fields you want to update, along with their values. If you are updating policy sets, ensure that your file includes all the policy sets that you want to include in the posture, including the policy sets that already exist. For instructions, see Modify a posture YAML file.
Run the
gcloud scc postures update
command to update the posture.gcloud scc postures update POSTURE_NAME \ --posture-from-file=POSTURE_FROM_FILE \ --revision-id=POSTURE_REVISION_ID \ --update-mask=UPDATE_MASK
Replace the following values:
POSTURE_NAME
is the relative resource name of the posture. For example,organizations/ORGANIZATION_ID/locations/global/postures/POSTURE_ID
.POSTURE_ID
is an alphanumeric name for your posture that is unique to your organization.
POSTURE_FROM_FILE
is the relative or absolute path to theposture.yaml
file that includes your changes.LOCATION
isglobal
.POSTURE_ID
is an alphanumeric name for your posture that is unique to your organization.
POSTURE_FROM_FILE
is the relative or absolute path to theposture.yaml
file that includes your changes.--revision-id=REVISION_ID
is the posture revision that you want to deploy. If the posture is already deployed, the security posture service automatically creates a new version of the posture with a different revision ID and includes the revision ID in the output.--update-mask=UPDATE_MASK
is the list of fields that you want to update, in comma-separated format. This argument is optional. You can setUPDATE_MASK
to one of the following values:*
or unspecified: Apply the changes that you made to the policy sets and posture description.policy_sets
: Apply the changes that you made to the policy sets only.description
: Apply the changes that you made to the posture description only.policy_sets, description
: Apply the changes that you made to the policy sets and posture description.state
: Apply the state change only.
For example, to update a posture with the name
posture-example-1
under the organizationorganizations/3589215982/locations/global
and the revision ID set toabcd1234
, run the following:gcloud scc postures update \ organizations/3589215982/locations/global/posture-example-1 \ --posture-from-file=posture.yaml --revision-id=abcd1234 --update-mask=policy_sets
If the posture update process fails, troubleshoot the error, and try again.
To verify that the posture updated successfully, see View a posture.
Change the state of a posture
The state of a posture determines whether it is available for deployment to a project, folder, or organization.
A posture can have the following states:
DRAFT
: The posture revision is not ready for deployment. You cannot deploy a posture revision that is in theDRAFT
state.ACTIVE
: The posture revision is available for deployment. You can change the state fromACTIVE
toDRAFT
orDEPRECATED.
DEPRECATED
: ADEPRECATED
posture revision cannot be deployed to a resource. You must delete all existing posture deployments of the posture before you can deprecate a posture revision. If you want to redeploy a posture revision that you deprecated, you must change its state toACTIVE
.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture you want to update.
On the Posture details page, click Edit.
Select the posture status and click Save.
gcloud
To change the state of a posture, run the gcloud scc postures update
command.
You can't update the posture state at the same time that you update other
fields. For instructions about running the gcloud scc postures update
command,
see Modify a posture YAML file.
Update a posture deployment
Update a posture deployment on a project, folder, or organization to deploy a new posture or deploy a new revision of a posture.
If the posture revision that you're updating includes a custom organization constraint that was deleted using the Google Cloud console, you can't update the posture deployment using the same posture ID. The Organization Policy Service prevents the creation of custom organization constraints that have the same name. Instead, you must create a new version of the posture or use a different posture ID.
Also, findings for the policy deployments deleted as part of the update process will be deactivated.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture that you want to update.
On the Posture details page, select the revision of the posture.
Click Apply to resources.
Click Select to select the organization, folder, or project that you want to deploy the posture to. If you see a message that the deployment already exists, delete the deployment before trying again.
gcloud
Run the gcloud scc posture-deployments update
command to deploy a posture.
gcloud scc posture-deployments update POSTURE_DEPLOYMENT_NAME \
--description=DESCRIPTION \
--update-mask=UPDATE_MASK \
--posture-id=POSTURE_ID \
--posture-revision-id=POSTURE_REVISION_ID
Replace the following values:
POSTURE_DEPLOYMENT_NAME
is the relative resource name for the posture deployment. The format isorganizations/ORGANIZATION_ID/locations/global/postureDeployments/POSTURE_DEPLOYMENT_ID
.POSTURE_DEPLOYMENT_ID
is a unique name for the posture deployment.
--description=DESCRIPTION
is the optional description for the deployed posture.--posture-id=POSTURE_ID
is the name for your posture that is unique to your organization. The format isorganizations/ORGANIZATION_ID/locations/global/postures/POSTURE_NAME
--posture-revision-id=POSTURE_REVISION_ID
is the posture revision that you want to deploy. You can obtain it from the response that you receive when you create the posture or view the posture.--update-mask=UPDATE_MASK
is the list of fields that you want to update, in comma-separated format. This argument is optional.
For example, to update a posture deployment with the following criteria:
- Organization:
organizations/3589215982/locations/global
- Posture deployment ID:
postureDeploymentexample
- Posture ID:
StagingAIPosture
- Revision:
version2
Run the following command:
gcloud scc posture-deployments update \
organizations/3589215982/locations/global/postureDeployments/postureDeploymentexample \
--posture-id=organizations/3589215982/locations/global/postures/StagingAIPosture \
--posture-revision-id=version2
You can view status information as the command completes. If the posture deployment update process fails, delete the deployment, troubleshoot the error, and try again.
Monitor posture drift
You can monitor a deployed posture for drift from your defined policies within security posture. Drift is a change to a policy that occurs outside of a posture. For example, drift occurs when an administrator changes a policy definition in the console instead of updating the posture deployment.
The security posture service creates findings that you can view in the Google Cloud console or gcloud CLI whenever drift occurs.
Console
If you have created a posture that applies to Vertex AI workloads, you can monitor for drift in two ways: from the Findings page, and from the Overview page. For all other postures, you can monitor for drift from the Findings page.
To monitor for drift from the Findings page:
In the Google Cloud console, go to the Findings page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
In the Quick filters pane, select the Posture violation finding. You can also enter the following filter in Query preview:
state="ACTIVE" AND NOT mute="MUTED" AND finding_class="POSTURE_VIOLATION"
To view the details for a finding, click the finding.
To monitor for drift from the Overview page (Vertex AI workloads only): 1. In the Google Cloud console, go to the Overview page.
1. Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on. 1. Review the AI Workload Findings pane.
- The Vulnerabilities tab shows all the vulnerabilities related to any Security Health Analytics custom modules that apply specifically to Vertex AI workloads.
- The Policy Drift tab shows any drift related to the Vertex AI organization policies that you've applied in a posture.
- To view the details for a finding, click the finding.
gcloud
In the gcloud CLI, to view drift findings, run the following:
gcloud scc findings list ORGANIZATION_ID \
--filter="category=\"SECURITY_POSTURE_DRIFT\""
Where ORGANIZATION_ID
is the ID of the organization.
For more information about addressing these findings, see Security posture service findings. You can export these findings in the same way that you export any other findings from Security Command Center. For more information, see Integration options and Exporting Security Command Center data.
To inactivate a drift finding, you can update the posture deployment with the same posture ID and posture revision.
Generate a drift finding for testing purposes
After you deploy a posture, you can monitor for drift from your policies. To see drift findings in action in a testing environment, complete the following:
In the console, go to the Organization policy page.
Edit one of the policies that you defined in the deployed posture. For example, if you use a predefined secure AI posture, you could edit the Restrict public IP access on new Vertex AI Workbench notebooks and instances policy.
After you change the policy, click Set Policy.
Go to the Findings page.
In the Quick filters pane, in the Source display name section, select Security Posture. A finding related to your change should appear within five minutes.
To view the details for the finding, click the finding.
Delete a posture deployment
You can delete a posture deployment if it didn't deploy properly, you no longer require a particular posture, or you no longer want a particular posture assigned to a project, folder, or organization. To delete a posture deployment, the posture deployment must be in one of the following states:
ACTIVE
CREATE_FAILED
UPDATE_FAILED
DELETE_FAILED
To verify the state of a posture deployment, see View information about a posture deployment.
When you delete a posture deployment, you remove the posture from the resource (your organization, folder, or project) that you assigned it to. Also, it deactivates the associated findings.
The output for different types of policies are:
- When you delete a posture deployment that includes custom organization policies, the custom organization policies are deleted. However, the custom constraint continues to exist.
When you delete a posture deployment that includes built-in Security Health Analytics detectors, the final state of the Security Health Analytics modules is dependent on the organization, folder, or project on which the deployment existed.
- If you deployed a posture on a folder or project, built-in Security Health Analytics detectors inherit their state from the parent organization or folder.
- If you deployed a posture at the organization level, built-in Security Health Analytics detectors revert to the default state. For a description of the default states, see Enable and disable detectors.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture that you want to remove from the resource it is assigned to.
On the Posture details page, select the revision of the posture and go to Resources.
From the list of resources where the current active posture revision is deployed, click Remove.
gcloud
Run the gcloud scc posture-deployments delete
command to delete a posture
deployment.
gcloud scc posture-deployments deletePOSTURE_DEPLOYMENT_NAME
POSTURE_DEPLOYMENT_NAME
is the relative resource name for the
posture deployment. The format is
organizations/ORGANIZATION_ID/locations/global/postureDeployments/POSTURE_DEPLOYMENT_ID
.
POSTURE_DEPLOYMENT_ID
is the unique name for the posture deployment.
For example, to delete a posture deployment that is named
organizations/3589215982/locations/global/postureDeployments/posture-deployment-example-1
,
run the following:
gcloud scc posture-deployments delete \
organizations/3589215982/locations/global/postureDeployments/posture-deployment-example-1
Delete a posture
When you delete a posture, you also delete all revisions. You can't delete a posture if any of its revisions are deployed. You must delete all posture deployments before you can complete this task.
Console
In the Google Cloud console, go to the Posture Management page.
Verify that you are viewing the organization that you activated the Security Command Center Premium or Enterprise tier on.
On the Postures tab, click the posture that you want to delete.
On the Posture details page, click Delete.
gcloud
Run the gcloud scc postures delete
command to delete a posture.
gcloud scc postures delete POSTURE_NAME
POSTURE_NAME
is the relative resource name of the
posture. For example,
organizations/ORGANIZATION_ID/locations/global/postures/POSTURE_ID
. The posture ID is an alphanumeric name for your posture that is unique to your organization.
For example, to delete a posture that is named
organizations/3589215982/locations/global/postures/posture-example-1
, run the
following:
gcloud scc postures delete \
organizations/3589215982/locations/global/postures/posture-example-1
What's next
- Read the overview of security postures.
- Learn about custom modules for Security Health Analytics.
- Learn about custom organization policy constraints.
- Check the audit logs for posture-related operations.
- Export security posture service data.