This topic describes how to configure your Google Cloud organization to use Cyber Insurance Hub for the first time. These steps are prerequisites for most tasks in Cyber Insurance Hub.
Beginning Cyber Insurance Hub setup
To generate reports, Cyber Insurance Hub requires a one-time setup to be completed. This process requires Identity and Access Management (IAM) permissions beyond the scope of Cyber Insurance Hub, which may only be held by an administrator in your organization.
To begin setup, follow these steps:
Console
Go to the Cyber Insurance Hub setup page.
Select your organization.
If Enroll in Cyber Insurance Hub is not displayed, obtain the required setup permissions, and then try again. Otherwise, grant the service agent access to your organization.
Required setup permissions
If Enroll in Cyber Insurance Hub is not displayed, you are missing the required permissions. To proceed, you must request these permissions from your Google Cloud administrator.
The following roles contain the permissions you need to complete the steps in this guide:
Risk Manager AdminOrganization Administrator
The following permissions are required:
| Required permission | Reference |
|---|---|
riskmanager.serviceAccount.create |
See Cyber Insurance Hub access control for IAM roles that include this permission. See Assign IAM roles for how to assign Cyber Insurance Hub roles. |
resourcemanager.organizations.getIamPolicy |
See Access control for organizations for IAM roles that include this permission. |
resourcemanager.organizations.setIamPolicy |
See Access control for organizations for IAM roles that include this permission. |
Grant the Risk Manager Service Agent access to your organization
When you begin to set up Cyber Insurance Hub in the Google Cloud console, a service agent is created. Upon creation, this service agent has no permissions and cannot perform any actions.
The Risk Manager Service Agent must be granted the
Risk Manager Service Agent role
(roles/riskmanager.serviceAgent) in order to read security findings and
build reports. For more information about the service agent role, see
Access control with IAM.
To grant the role to the service agent, follow these steps:
Console
Go to Cyber Insurance Hub setup page.
Select your organization.
Click Grant Roles.
Verify that Grant Roles is updated to Roles Granted.
Enroll in Cyber Insurance Hub
Enrolling in Cyber Insurance Hub enables any backend services needed for Cyber Insurance Hub to work.
For enrollment to succeed, the organization must have Security Command Center enabled, with the Security Health Analytics service enabled within Security Command Center. The Security Command Center and Security Health Analytics enablement process is detailed in the Cyber Insurance Hub onboarding page.
To enroll in Cyber Insurance Hub, follow these steps:
Console
Go to Cyber Insurance Hub setup page:
Select your organization.
Click Enroll.
Verify that Enroll is updated to Enrolled.
Grant IAM roles
Before a user can create, review, share, or send a report, that user must have
the appropriate IAM permissions. You can grant one or more
predefined roles or create and grant custom roles. For example, a principal with
the Cyber Insurance Hub Report Reviewer role (roles/riskmanager.reportReviewer)
can access (but not modify) the reports, and approve reports to be sent;
however, they can't create reports.
For more information, including a list of predefined roles for Cyber Insurance Hub, see Access control with IAM.
To grant a role, follow these steps:
Console
In the Google Cloud console, go to the IAM page.
Select the organization for which you have enrolled Cyber Insurance Hub.
On the IAM page, next to your username, click Edit principal.
On the Edit permissions pane that appears, add the necessary roles.
Click Add another role. Select a role to add, such as Risk Manager Report Reviewer.
To add more roles, repeat the previous step. Click Save.
gcloud
Run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=user:USERNAME --role=roles/ROLEReplace the following:
ORGANIZATION_ID: the numeric ID of your organization for which you have enrolled Cyber Insurance Hub.USERNAME: the principal that you want to grant this role to. This must be a member of your organization; for example,test-user@example.com.ROLE: the name of the Cyber Insurance Hub role that you want to grant; for example,riskmanager.reportReviewer.
What's next?
- Learn how to create a report.
- Learn how to remediate findings.
- Learn how to automatically generate reports.