Enable the CIEM detection service for AWS

This page describes how to set up the Security Command Center Cloud Infrastructure Entitlement Management (CIEM) detection service to detect identity issues in your deployments on other cloud platforms, like Amazon Web Services (AWS).

The CIEM detection service generates findings that alert you to potential identity and access security issues in your AWS environment, such as highly privileged assumed IAM roles, users, and groups.

Before you begin

Before you enable the CIEM detection service, complete the following tasks:

• Purchase and activate the Enterprise tier of Security Command Center for your organization. For instructions, see Activate the Security Command Center Enterprise tier.
• Learn about Security Command Center's CIEM capabilities.

Set up permissions

To get the permissions that you need to enable CIEM, ask your administrator to grant you the following IAM roles on your Google Cloud organization:

• Chronicle API Admin (roles/chronicle.admin)
• Chronicle SOAR Admin (roles/chronicle.soarAdmin)
• Chronicle Service Admin (roles/chroniclesm.admin)
• Cloud Asset Owner (roles/cloudasset.owner)
• Create Service Accounts (roles/iam.serviceAccountCreator)
• Folder IAM Admin (roles/resourcemanager.folderIamAdmin)
• IAM Recommender Admin (roles/recommender.iamAdmin)
• Organization Administrator (roles/resourcemanager.organizationAdmin)
• Organization Role Administrator (roles/iam.roleAdmin)
• Project Creator (roles/resourcemanager.projectCreator)
• Project IAM Admin (roles/resourcemanager.projectIamAdmin)
• Security Admin (roles/iam.securityAdmin)
• Security Center Admin (roles/securitycenter.admin)

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Configure supporting components for CIEM

To enable the CIEM detection service to produce findings for other cloud providers, you must configure certain supporting components in Security Command Center.

Complete the following tasks to enable the CIEM detection service for AWS:

• Set up Amazon Web Services (AWS) integration: Complete this step to connect your AWS environment to Security Command Center for vulnerability and risk assessment. For instructions, see Connect to AWS for vulnerability detection and risk assessment.
• Configure integrations: Complete this step to set up optional Security Command Center integrations such as connecting to your ticketing systems:
  • To connect your ticketing system, see Integrate Security Command Center Enterprise with ticketing systems.
  • To synchronize case data, Enable synchronization for cases.
• Configure log ingestion: To configure log ingestion appropriately for CIEM, see Configure AWS log ingestion for CIEM.

Use CIEM with Google Cloud

Most of the Security Command Center CIEM capabilities work by default for your Google Cloud environment and don't require any additional configuration. As part of Security Command Center's CIEM capabilities, findings are produced automatically for Google Cloud as long as you have an active Security Command Center Enterprise subscription.

What's next

• Learn how to investigate identity and access findings.
• Learn how to review cases for identity and access issues.
• Learn more about Security Command Center roles.