Stay organized with collections
Save and categorize content based on your preferences.
This document provides a step-by-step guide to enable the public bucket
remediation for the posture findings playbooks in the Enterprise tier of
Security Command Center.
Overview
Security Command Center supports additional remediation for the vulnerabilities in
the following playbooks:
Posture Findings โ Generic
Posture Findings With Jira
Posture Findings With ServiceNow
These posture findings playbooks include a block that remediates the OPEN PORT,
PUBLIC IP ADDRESS, and PUBLIC BUCKET ACL findings. For more information
about these finding types, see Vulnerability
findings.
Playbooks are preconfigured to process the OPEN PORT and PUBLIC IP ADDRESS
findings. Remediating the PUBLIC_BUCKET_ACL findings requires that you enable
the public bucket remediation for playbooks.
Enable public bucket remediation for playbooks
After the Security Health Analytics (SHA) detector identifies the
Cloud Storage buckets that are publicly accessible and generates the
PUBLIC_BUCKET_ACL findings, Security Command Center Enterprise ingests the findings
and attaches playbooks to them. To enable the public bucket remediation for
posture findings playbooks, you need to create a custom IAM role,
configure a specific permission for it, and grant the custom role that you've
created to an existing principal.
Before you begin
A configured and running instance of the Cloud Storage integration is
required to remediate the public bucket access. To validate the integration
configuration, see Update the Enterprise use case.
Create a custom IAM role
To create a custom IAM role and configure a specific permission
for it, complete the following steps:
In the Google Cloud console, go to the IAM Roles page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThis document provides a step-by-step guide to enable the public bucket\nremediation for the posture findings playbooks in the Enterprise tier of\nSecurity Command Center.\n\nOverview\n\nSecurity Command Center supports additional remediation for the vulnerabilities in\nthe following playbooks:\n\n- **Posture Findings -- Generic**\n- **Posture Findings With Jira**\n- **Posture Findings With ServiceNow**\n\nThese posture findings playbooks include a block that remediates the `OPEN PORT`,\n`PUBLIC IP ADDRESS`, and `PUBLIC BUCKET ACL` findings. For more information\nabout these finding types, see [Vulnerability\nfindings](/security-command-center/docs/concepts-vulnerabilities-findings).\n\nPlaybooks are preconfigured to process the `OPEN PORT` and `PUBLIC IP ADDRESS`\nfindings. Remediating the `PUBLIC_BUCKET_ACL` findings requires that you enable\nthe public bucket remediation for playbooks.\n\nEnable public bucket remediation for playbooks\n\nAfter the Security Health Analytics (SHA) detector identifies the\nCloud Storage buckets that are publicly accessible and generates the\n`PUBLIC_BUCKET_ACL` findings, Security Command Center Enterprise ingests the findings\nand attaches playbooks to them. To enable the public bucket remediation for\nposture findings playbooks, you need to create a custom IAM role,\nconfigure a specific permission for it, and grant the custom role that you've\ncreated to an existing principal.\n\nBefore you begin\n\nA configured and running instance of the Cloud Storage integration is\nrequired to remediate the public bucket access. To validate the integration\nconfiguration, see [Update the Enterprise use case](/security-command-center/docs/enterprise-security-operations-software-update#storage-integration-config).\n\nCreate a custom IAM role\n\nTo create a custom IAM role and configure a specific permission\nfor it, complete the following steps:\n\n1. In the Google Cloud console, go to the IAM **Roles** page.\n\n [Go to IAM Roles](https://console.cloud.google.com/iam-admin/roles)\n2. Click **Create role** to create a custom role with permissions required for\n the integration.\n\n3. For a new custom role, provide the **Title** , **Description** , and a unique\n **ID**.\n\n4. Set the **Role Launch Stage** to **General Availability**.\n\n5. Add the following permission to the created role:\n\n resourcemanager.organizations.setIamPolicy\n\n6. Click **Create**.\n\nGrant a custom role to an existing principal\n\nAfter you grant your new custom role to a selected principal, they can change\npermissions for any user in your organization.\n\nTo grant the custom role to an existing principal, complete the following steps:\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. In the **Filter** field, paste the **Workload Identity Email** value that\n you use for the Cloud Storage integration and search for the\n existing principal.\n\n3. Click edit **Edit principal** . The\n **Edit access to \"\u003cvar class=\"readonly\" translate=\"no\"\u003ePROJECT\u003c/var\u003e\"** dialog\n opens.\n\n4. Under **Assign roles** , click add\n **Add another role**.\n\n5. Select the custom role that you've created and click **Save**."]]
