Allow Event Threat Detection to access VPC Service Controls perimeters

Premium and Enterpriseservice tiers

This document describes how to add ingress rules to allowEvent Threat Detection to monitor logging streams in Security Command Center withinVPC Service Controls perimeters. Perform this taskif your organization uses VPC Service Controls to restrict services in projects thatyou want Event Threat Detection to monitor. For more information aboutEvent Threat Detection, seeEvent Threat Detection overview.

Before you begin

Make sure that you have the following role or roles on the organization: Cloud Asset Service Agent(roles/cloudasset.serviceAgent).

Check for the roles

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM
  2. Select the organization.

  3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM
  2. Select the organization.
  3. ClickGrant access.

  4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. ClickSelect a role, then search for the role.
  6. To grant additional roles, clickAdd another role and add each additional role.
  7. ClickSave.

Create the ingress rules

To allow Event Threat Detection to monitor logging streams in Security Command Center withinVPC Service Controls perimeters, add the required ingress rules in thoseperimeters. Perform these steps for each perimeter that you want Event Threat Detectionto monitor.

For more information, seeUpdating ingress and egress policies for a service perimeterin the VPC Service Controls documentation.

Console

  1. In the Google Cloud console, go to theVPC Service Controls page.

    Go to VPC Service Controls

  2. Select your organization or project.

  3. In the drop-down list, select the access policy that contains the service perimeter that you want to grant access to.

    The service perimeters associated with the access policy appear in the list.

  4. Click the name of the service perimeter that you want to update.

    To find the service perimeter you need to modify, you can check your logs for entries that showRESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violations. In those entries, check theservicePerimeterName field:

    accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME
  5. ClickEdit.
  6. ClickIngress policy.
  7. ClickAdd an ingress rule.

  8. In theFrom section, set the following details:

    1. ForIdentities > Identity, selectSelect identities & groups.
    2. ClickAdd identities.

    3. Enter the email address that identifies theCloud Security Command Center Service Agent. This address has the following format:

      service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

      ReplaceORGANIZATION_ID with your organization ID.

    4. Select the service agent or pressENTER, and then clickAdd identities.
    5. ForSources, selectAll sources.

  9. In theTo section, set the following details:

    1. ForResources > Projects, selectAll projects.
    2. ForOperations or IAM roles, selectSelect operations.

    3. ClickAdd operations, and then add the following operations:

      • Add thecloudasset.googleapis.com service.
        1. ClickAll methods.
        2. ClickAdd all methods.
  10. ClickSave.

gcloud

  1. If a quota project isn't already set, then set it. Choose a project that has the Access Context Manager API enabled.

    gcloudconfigsetbilling/quota_projectQUOTA_PROJECT_ID

    ReplaceQUOTA_PROJECT_ID with the ID of the project that you want to use for billing and quota.

  2. Create a file namedingress-rule.yaml with the following contents:

    -ingressFrom:identities:-serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.comsources:-accessLevel:'*'ingressTo:operations:-serviceName:cloudasset.googleapis.commethodSelectors:-method:'*'resources:-'*'

    ReplaceORGANIZATION_ID with your organization ID.

  3. Add the ingress rule to the perimeter:

    gcloudaccess-context-managerperimetersupdatePERIMETER_NAME\--set-ingress-policies=ingress-rule.yaml

    Replace the following:

    • PERIMETER_NAME: the name of the perimeter. For example,accessPolicies/1234567890/servicePerimeters/example_perimeter.

      To find the service perimeter you need to modify, you can check your logs for entries that showRESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violations. In those entries, check theservicePerimeterName field:

      accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME

SeeIngress and egress rules for more information.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-20 UTC.