Skip to content

Latest commit

 

History

History

1-org-c

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Manual Steps

These are the steps that cannot be automated.

Managing default organization roles

When an Organization is created, all users in your domain are granted the Billing Account Creator and Project Creator roles by default.

The Project Creator role needs to be removed and re-applied to a different GCP folder to allow project creation.

Because these roles are deployed before Terraform can manage the environment, a manual step needs to be performed.

Steps

  • At the organization level, edit the @domain.com and remove the Project Creator role.
  • Automation should have created a custom role, normally this will be named something like [Custom] Folder Viewer and applied to the desired GCP folder
  • Lastly, on the desired GCP folder, add a new IAM role and assign the @domain.com and assign the Project Creator role.

Setting up Security Command Center

Here's the best link to follow

To set up Security Command Center for your organization, choose the Security Command Center tier you want, enable the services or security sources that you want to display findings in the Security Command Center dashboard, select the resources or assets to monitor, and then grant permissions for the Security Command Center service account

Create a Security Command Center Notification Channel

Enable the Security Command Center API notifications feature. Notifications send information to a Pub/Sub topic to provide findings updates and new findings within minutes. Because Security Command Center works at the organization level, Security Command Center API notifications include all of the finding information that is displayed in the Security Command Center dashboard.

Setting up Pub/Sub Topic

Here's the best link to follow

In this step, you create and subscribe to the Pub/Sub topic that you want to send notifications to. This configuration should already be configured and setup during the 1-org step. To confirm the topic and subscription have been created, use the following gcloud command or confirm through the UI.

gcloud pubsub topics list

If it a pub/sub topic and subscription are not there re-run the 1-org step.

Creating a NotificationConfig

Create the NotificationConfig using the gcloud command:

  # The numeric ID of the organization
  ORGANIZATION_ID=organization-id

  # The topic to which the notifications are published
  PUBSUB_TOPIC="projects/project-id/topics/topic-id"

  # The description for the NotificationConfig
  DESCRIPTION="Notifies for active findings"

  # Filters for active findings
  FILTER="state=\"ACTIVE\""

  gcloud scc notifications create notification-name \
    --organization "$ORGANIZATION_ID" \
    --description "$DESCRIPTION" \
    --pubsub-topic $PUBSUB_TOPIC \
    --filter "$FILTER"

Sharing G Suite data

Here's the best link to follow

To enable sharing of G Suite data with Cloud Audit Logs from your G Suite, Cloud Identity, or Drive Enterprise account, see the instructions in this G Suite Admin Help article.

Share data with Google Cloud Platform services

  1. Log into the G Suite Admin console.
  2. From the Admin console Home page, go to Account settingsand thenLegal & compliance.
  3. Click Sharing options.
  • To share data, click Enabled.
  • To turn off sharing, click Disabled. No new data is shared with GCP services. Existing shared data is deleted according to the GCP Admin Activity Audit log retention period.
  1. Click Save.