search

GoogleCloudPlatform / security-response-automation

Take automated actions against threats and vulnerabilities.
Apache License 2.0
208 stars 52 forks source link

Remove unnecessary roles from SCC Notifications service account #169

Closed atos-cit closed 4 years ago

atos-cit commented 4 years ago

In the section Set up Security Command Center Notifications in README, after running the script to create the SCC Notifications there are two commands to add roles to a service account:

gcloud beta pubsub topics add-iam-policy-binding projects/$PROJECT_ID/topics/$TOPIC_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_FROM_ABOVE" \
--role="roles/pubsub.publisher"

gcloud pubsub topics add-iam-policy-binding projects/$PROJECT_ID/topics/threat-findings \
--member="serviceAccount:$SERVICE_ACCOUNT_FROM_ABOVE" \
--role="roles/securitycenter.notificationServiceAgent"

It seems that both roles have the same permissions, so need to test if both are needed in to make the SCC Notifications work.

daniel-cit commented 4 years ago

Should replace section with link to the documentation

https://cloud.google.com/security-command-center/docs/how-to-notifications