# GCP Security Command Center (SCC) In this guide, you'll configure the integration between Radiant and Google Cloud Security Command Center (SCC). This setup allows Radiant Security to continuously monitor for vulnerabilities, misconfigurations, and threats, offering visibility into the security posture of your GCP resources. SCC aggregates data from various GCP services, helping Radiant Security quickly triage and investigate potential security incidents. There are two visibility scenarios when it comes to SCC scope: **organization-wide** and **project-wide**. We support data collection for both cases, but they require different steps. This guide outlines the specific actions needed for each visibility scenario. At the end of this configuration, you will provide Radiant Security with these values: | Organization-Wide | Project-Wide | | --------------------------- | --------------------------- | | ADC Credentials (json file) | ADC Credentials (json file) | | Organization ID | Organization ID | | - | Project ID | ### Prerequisites * [ ] You need to be an **Organization Admin** to perform the following tasks. ### Enable the SCC API 1. In Google Cloud console, go to **Enable access to API** by following this link: [**Enable access to API**](https://console.cloud.google.com/flows/enableapi?apiid=securitycenter.googleapis.com). 2. Make sure you are in the right project: 1. If SCC is set up within a project, select this project. 2. If SCC is **domain-wide**, select a project where you will later be able to create a service account. The location of this service account is an organizational decision and does not impact the connector 3. Click **Next** and **Enable**. ### Create a service account You’ll need to create a service account on a project that can retrieve logs from the API, regardless of your SCC visibility. 1. In the Google Cloud console, navigate to **IAM & Admin** > **Service Accounts**. 2. Select the project where you enabled the API in the previous step. 3. Click **+ Create service account** and add the following information: 1. **Service account name**: `Radiant-Connector` 2. **Service account ID**: `radiant-connector` (This is an auto-generated field.) 3. **Service account description**: `Account used to retrieve security logs from SCC` 4. Copy the **Email address**, you’ll need it later. Click **Create and Continue**. 5. In the **Grant this service account access to project** section, click the drop-down for **Select a role**, search for and select the **Security Center Admin Viewer** role. 6. Skip the third step and click **Done**. ### Create a service account key 1. While still in the **Service** **Accounts** page in the Google Cloud console, click the newly created account. 2. Click the **Keys tab** and click **Add Key > Create new Key**. 3. For **Key** **type**, select **JSON** and click **Create**. 4. The JSON file will download automatically, be sure to save it in a secure place. ### Grant access for a domain-wide SCC {% hint style="info" %} **Note**: You may skip this step if SCC is project-wide. {% endhint %} 1. In the Google Cloud console, navigate to **IAM & Admin**, make sure that you are are in the organization scope. 2. Click **+ Grant Access**. 3. In the **Add** **principals** section in the **New** **principals** field, enter the principal of the service account that you copied in the **Create a service account** step. 4. In the **Assign** **roles** section, click the **Role** drop-down, search for and select the **Security Center Admin Viewer** role. 5. Click **Save**. ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **GCP Security Command Center (SCC)** option and then click **Data Feeds**. 4. Under **Select your data feeds**, select the **GCP Security Command Center (SCC)** data feed and click **Credentials.** 5. Under **Credential Name**, give the credential an identifiable name (e.g. `GCP Radiant Credentials`). 6. Enter the **GCP** **organization** **ID**. 7. If applicable, enter the **GCP** **project** **ID**. 8. For **Upload** **JSON** **File**, upload the GCP credentials JSON file you downloaded in the [Create a service account](#create-a-service-account) step. 9. Click **Add Connector**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/gcp-security-command-center-scc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.