These are the steps that cannot be automated.
When an Organization is created, all users in your domain are granted the Billing Account Creator and Project Creator roles by default.
The Project Creator role needs to be removed and re-applied to a different GCP folder to allow project creation.
Because these roles are deployed before Terraform can manage the environment, a manual step needs to be performed.
- At the organization level, edit the
@domain.com
and remove the Project Creator role. - Automation should have created a custom role, normally this will be named something like
[Custom] Folder Viewer
and applied to the desired GCP folder - Lastly, on the desired GCP folder, add a new IAM role and assign the
@domain.com
and assign the Project Creator role.
Here's the best link to follow
To set up Security Command Center for your organization, choose the Security Command Center tier you want, enable the services or security sources that you want to display findings in the Security Command Center dashboard, select the resources or assets to monitor, and then grant permissions for the Security Command Center service account
Enable the Security Command Center API notifications feature. Notifications send information to a Pub/Sub topic to provide findings updates and new findings within minutes. Because Security Command Center works at the organization level, Security Command Center API notifications include all of the finding information that is displayed in the Security Command Center dashboard.
Here's the best link to follow
In this step, you create and subscribe to the Pub/Sub topic that you want to send notifications to. This configuration should already be configured and setup during the 1-org step. To confirm the topic and subscription have been created, use the following gcloud
command or confirm through the UI.
gcloud pubsub topics list
If it a pub/sub topic and subscription are not there re-run the 1-org step.
Create the NotificationConfig
using the gcloud
command:
# The numeric ID of the organization
ORGANIZATION_ID=organization-id
# The topic to which the notifications are published
PUBSUB_TOPIC="projects/project-id/topics/topic-id"
# The description for the NotificationConfig
DESCRIPTION="Notifies for active findings"
# Filters for active findings
FILTER="state=\"ACTIVE\""
gcloud scc notifications create notification-name \
--organization "$ORGANIZATION_ID" \
--description "$DESCRIPTION" \
--pubsub-topic $PUBSUB_TOPIC \
--filter "$FILTER"
Here's the best link to follow
To enable sharing of G Suite data with Cloud Audit Logs from your G Suite, Cloud Identity, or Drive Enterprise account, see the instructions in this G Suite Admin Help article.
- Log into the G Suite Admin console.
- From the Admin console Home page, go to Account settingsand thenLegal & compliance.
- Click Sharing options.
- To share data, click Enabled.
- To turn off sharing, click Disabled. No new data is shared with GCP services. Existing shared data is deleted according to the GCP Admin Activity Audit log retention period.
- Click Save.