Security posture overview
A security posture lets you define and manage the security status of your cloudassets, including your cloud network and cloud services. You can use a securityposture to evaluate your current cloud security against defined benchmarks,which helps you maintain the level of security that your organization requires.A security posture helps you detect and mitigate any drift from your definedbenchmark. By defining and maintaining a security posture that matches yourbusiness's security needs, you can reduce cybersecurity risks to yourorganization and help prevent attacks from occurring.
In Google Cloud, you can use the security posture service inSecurity Command Center to define and deploy a security posture, monitor the securitystatus of your Google Cloud resources, and address any drift (orunauthorized change) from your defined posture.
Benefits and applications
The security posture service is a built-in service for theSecurity Command Center that lets you define, assess, and monitor the overall status ofyour security in Google Cloud. The security posture serviceis only available to you if you purchase a subscription of the Security Command CenterPremium tier or the Enterprise tier and activate Security Command Center at theorganization level.
You can use the security posture service to achieve the followinggoals:
Ensure that your workloads conform to security standards, complianceregulations, and your organization's custom security requirements.
Apply your security controls to Google Cloud projects, folders, or organizationsbefore you deploy any workloads.
Continuously monitor for and resolve any drift from your defined securitycontrols.
The security posture service is automatically enabled when youactivate Security Command Center at the organization level.
Service components
The security posture service includes the following components:
Posture
One or more policy sets that enforce the preventative and detective controls that your organization requires to meet its security standard. You can deploy postures at the organization level, folder level, or project level. For a list of posture templates, seePredefined posture templates.
Policy sets
A set of security requirements and associated controls in Google Cloud. Typically, a policy set consists of all the policies that let you meet the requirements of a particular security standard or compliance regulation.
Policy
A particular constraint or restriction that controls or monitors the behavior of resources in Google Cloud. Policies can be preventative (for example,organization policy constraints) or detective (for example, Security Health Analytics detectors). Supported policies are the following:
Organization Policy constraints, includingcustom constraints
Security Health Analytics detectors, includingcustom modules
Posture deployment
After you create a posture, you deploy it so that you can apply the posture to the organization, folders, or projects that you want to manage using the posture.
The following diagram shows the components of an example security posture.
Predefined posture templates
The security posture service includes predefined posturetemplates that adhere to a compliance standard or to a Google-recommendedstandard like theenterprise foundations blueprintrecommendations. You can use these templates to create security postures thatapply to your business. The following table describes the posture templates.
| Posture template | Template name | Description |
|---|---|---|
| Secure by default, essentials | secure_by_default_essential | This template implements the policies that help prevent common misconfigurations and common security issues caused by default settings. You can deploy this template without making any changes to it. |
| Secure by default, extended | secure_by_default_extended | This template implements the policies that help prevent common misconfigurations and common security issues caused by default settings. Before you deploy this template, you must customize it to match your environment. |
| Secure AI recommendations, essentials | secure_ai_essential | This template implements policies that help you secure Gemini and Vertex AI workloads. You can deploy this template without making any changes to it. |
| Secure AI recommendations, extended | secure_ai_extended | This template implements policies that help you secure Gemini and Vertex AI workloads. Before you deploy this template, you must customize it to match your environment. |
| BigQuery recommendations, essentials | big_query_essential | This template implements policies that help you secure BigQuery. You can deploy this template without making any changes to it. |
| Cloud Storage recommendations, essentials | cloud_storage_essential | This template implements policies that help you secure Cloud Storage. You can deploy this template without making any changes to it. |
| Cloud Storage recommendations, extended | cloud_storage_extended | This template implements policies that help you secure Cloud Storage. Before you deploy this template, you must customize it to match your environment. |
| VPC recommendations, essentials | vpc_networking_essential | This template implements policies that help you secure Virtual Private Cloud (VPC). You can deploy this template without making any changes to it. |
| VPC recommendations, extended | vpc_networking_extended | This template implements policies that help you secure VPC. Before you deploy this template, you must customize it to match your environment. |
| Center for Internet Security (CIS) Google Cloud Computing Platform Benchmark v2.0.0 recommendations | cis_2_0 | This template implements policies that help you detect when your Google Cloud environment doesn't align with the CIS Google Cloud Computing Platform Benchmark v2.0.0. You can deploy this template without making any changes to it. |
| NIST SP 800-53 standard recommendations | nist_800_53 | This template implements policies that help you detect when your Google Cloud environment doesn't align with the National Institute of Standards and Technology (NIST) SP 800-53 standard. You can deploy this template without making any changes to it. |
| ISO 27001 standard recommendations | iso_27001 | This template implements policies that help you detect when your Google Cloud environment doesn't align with the International Organization for Standards (ISO) 27001 standard. You can deploy this template without making any changes to it. |
| PCI DSS standard recommendations | pci_dss_v_3_2_1 | This template implements policies that help you detect when your Google Cloud environment doesn't align with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 and version 1.0. You can deploy this template without making any changes to it. |
Posture deployment and drift monitoring
To enforce a posture with all its policies on a Google Cloud resource, youdeploy the posture. You can specify which level of the resource hierarchy(organization, folder, or project) that the posture applies to. You can onlydeploy one posture to each organization, folder, or project.
Postures are inherited by child folders and projects. Therefore, if you deploypostures at the organization level and at the project level, all the policieswithin both postures apply to the resources in the project. If there are anydifferences in policy definitions (for example, a policy is set to Allow at theorganization level and to Deny at the project level), the lower-level posture isused by the resources in that project.
As a best practice, we recommend that you deploy a posture at the organizationlevel that includes policies that can apply to your entire business. You canthen apply more stringent policies to folders or projects that require them. Forexample, if you use the enterprise foundations blueprint to set up yourinfrastructure, you create certain projects (for example,prj-c-kms) that arespecifically created to contain the encryption keys for all the projects in afolder. You can use a security posture to set theconstraints/gcp.restrictCmekCryptoKeyProjectsorganization policy constraint on thecommon folder and environment folders(development,nonproduction, andproduction) so that all projects only usekeys from the key projects.
After you deploy your posture, you can monitor your environment for any driftfrom your defined posture. Security Command Center reports instances of drift as findingsthat you can review, filter, and resolve. In addition, you can export thesefindings in the same way that you export any other findings from Security Command Center.For more information, seeExporting Security Command Center data.
Integration with Vertex AI and Gemini
You can use security postures to help you maintain the security for your AIworkloads. The security posture service includes the following:
Predefined posture templates that are specific to AIworkloads.
Apane on theOverview pagethat lets you monitor for vulnerabilities that were found by the Security Health Analyticscustom modules that apply to AI, and lets you view any drift from theVertex AI organization policies that are defined in a posture.
AWS integration
If you connect Security Command Center Enterprise to AWS forconfiguration and resourcedata collection, the Security Health Analytics serviceincludes built-in detectors that can monitor your AWS environment and createfindings.
When you create or modify a posture file, you can include Security Health Analytics detectorsthat are specific to AWS. You must deploy this posture file at the organizationlevel.
Service limits
The security posture service includes the following limits:
- A maximum of 100 postures in an organization.
- A maximum of 400 policies in a posture.
- A maximum of 1000 posture deployments in an organization.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-20 UTC.