GCP has over a few thousand built in (predefined) roles for a variety of activities.

Level 1 Access - Security Auditor Only (Read Only Roles)

Don't need to be an Org Owner or an Org Admin, but we would need:
  1. roles/resourcemanager.organizationViewer
  2. roles/iam.securityReviewer
The latter of these is an all inclusive, global security reader that is similar to AWS' SecurityAudit Managed Policy. It is a read-only predefined role.
Level 2 Access - Actual Remediation Tasks based on Security Command Center Findings
In order to perform remediation tasks, as well as spin up test resources (including new VPCs and resources within), these are some predefined GCP roles that would be needed:
  1. Shared VPC Admin ( at the Org level)
  2. Network Admin  (at the Org level)
  3. Security Admin  (at the Org level)

Summary

GCP Roles can be a little intimidating (there's thousands to choose from).  For Security related tasks, the roles described above are the most important ones in Google Cloud.

Need Assistance with your AWS or GCP cloud strategy?