Error detectors generate findings that point to issues in the configuration of
your Security Command Center environment. These configuration issues prevent
detection services (also known as
finding providers) from generating findings. Error findings are
generated by the Security Command Center
security source and have the finding
class SCC errors
.
This selection of error detectors addresses common Security Command Center misconfigurations and is not an exhaustive list. The absence of error findings doesn't guarantee that Security Command Center and its services are properly configured and working as intended. If you suspect that you have misconfiguration issues that aren't covered by these error detectors, see Troubleshooting and Error messages.
Severity levels
An error finding can have either of the following severity levels:
- Critical
Indicates that the error is causing one or more of the following issues:
- The error prevents you from seeing all of a service's findings.
- The error is preventing Security Command Center from generating new findings of any severity.
- The error is preventing attack path simulations from generating attack exposure scores and attack paths.
- High
Indicates the error is causing one or more of the following issues:
- You cannot see or export some of a service's findings.
- For attack path simulations, the attack exposure scores and attack paths might be incomplete or inaccurate.
Mute behavior
Findings belonging to the finding class SCC errors
report issues that prevent
Security Command Center from working as expected. For this reason, error findings can't be muted.
Error detectors
The following table describes the error detectors and the assets they support. You can filter findings by category name or finding class on the Security Command Center Findings tab in the Google Cloud console.
To remediate these findings, see Remediating Security Command Center errors.
The following finding categories represent errors possibly caused by unintentional actions.
Category name | API name | Summary | Severity |
---|---|---|---|
API disabled |
API_DISABLED |
Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center. Pricing tier: Premium or Standard
Supported assets Batch scans: Every 60 hours |
Critical |
Attack path simulation: no resource value configs match any resources |
APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES |
Finding description: Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead. This error can have any of the following causes:
Pricing tier: Premium
Supported assets Batch scans: Before every attack path simulation. |
Critical |
Attack path simulation: resource value assignment limit exceeded |
APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED |
Finding description: In the last attack path simulation, the number of high-value resource instances, as identified by the resource value configurations, exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set. The total number of matching instances and the total number of instances excluded
from the set are identified in the The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances. Pricing tier: Premium
Supported assets Batch scans: Before every attack path simulation. |
High |
Container Threat Detection
Image Pull Failure |
KTD_IMAGE_PULL_FAILURE |
Finding description:
Container Threat Detection can't be enabled on the cluster because a required container
image can't be pulled (downloaded) from The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error:
Pricing tier: Premium
Supported assets Batch scans: Every 30 minutes |
Critical |
Container Threat Detection
Blocked By Admission Controller |
KTD_BLOCKED_BY_ADMISSION_CONTROLLER |
Finding description: Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires. When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object. Pricing tier: Premium
Supported assets Batch scans: Every 30 minutes |
High |
Container Threat
Detection service account missing permissions |
KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS |
Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled. Pricing tier: Premium
Supported assets Batch scans: Every 30 minutes |
Critical |
GKE service account missing
permissions |
GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS |
Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster. Pricing tier: Premium
Supported assets Batch scans: Every week |
High |
Misconfigured Cloud Logging Export |
MISCONFIGURED_CLOUD_LOGGING_EXPORT |
Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging. Pricing tier: Premium
Supported assets Batch scans: Every 30 minutes |
High |
VPC Service Controls Restriction |
VPC_SC_RESTRICTION |
Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter. Pricing tier: Premium or Standard
Supported assets Batch scans: Every 6 hours |
High |
Security Command
Center service account missing permissions |
SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS |
Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced. Pricing tier: Premium or Standard
Supported assets Batch scans: Every 30 minutes |
Critical |
What's next
- Learn how to remediate Security Command Center errors.
- Refer to Troubleshooting.
- Refer to Error messages.