This document provides a step-by-step guide to enable the public bucket remediation for the posture findings playbooks in the Enterprise tier of Security Command Center.
Overview
Security Command Center supports additional remediation for the vulnerabilities in the following playbooks:
- Posture Findings – Generic
- Posture Findings With Jira
- Posture Findings With ServiceNow
These posture findings playbooks include a block that remediates the OPEN PORT,
PUBLIC IP ADDRESS, and PUBLIC BUCKET ACL findings. For more information
about these finding types, see Vulnerability
findings.
Playbooks are preconfigured to process the OPEN PORT and PUBLIC IP ADDRESS
findings. Remediating the PUBLIC_BUCKET_ACL findings requires that you enable
the public bucket remediation for playbooks.
Enable public bucket remediation for playbooks
After the Security Health Analytics (SHA) detector identifies the
Cloud Storage buckets that are publicly accessible and generates the
PUBLIC_BUCKET_ACL findings, Security Command Center Enterprise ingests the findings
and attaches playbooks to them. To enable the public bucket remediation for
posture findings playbooks, you need to create a custom IAM role,
configure a specific permission for it, and grant the custom role that you've
created to an existing principal.
Before you begin
A configured and running instance of the Cloud Storage integration is required to remediate the public bucket access. To validate the integration configuration, see Update the Enterprise use case.
Create a custom IAM role
To create a custom IAM role and configure a specific permission for it, complete the following steps:
- In the Google Cloud console, go to the IAM Roles page. 
- Click Create role to create a custom role with permissions required for the integration. 
- For a new custom role, provide the Title, Description, and a unique ID. 
- Set the Role Launch Stage to General Availability. 
- Add the following permission to the created role: - resourcemanager.organizations.setIamPolicy
- Click Create. 
Grant a custom role to an existing principal
After you grant your new custom role to a selected principal, they can change permissions for any user in your organization.
To grant the custom role to an existing principal, complete the following steps:
- In the Google Cloud console, go to the IAM page. 
- In the Filter field, paste the Workload Identity Email value that you use for the Cloud Storage integration and search for the existing principal. 
- Click Edit principal. The Edit access to "PROJECT" dialog opens. 
- Under Assign roles, click Add another role. 
- Select the custom role that you've created and click Save.