Overview of Security Command Center errors

Stay organized with collections Save and categorize content based on your preferences.

Error detectors generate findings that point to issues in the configuration of your Security Command Center environment. These configuration issues prevent services (also known as finding providers or sources) from generating findings. Error findings are generated by the Security Command Center security source and have the finding class SCC errors.

This selection of error detectors addresses common Security Command Center misconfigurations and is not an exhaustive list. The absence of error findings doesn't guarantee that Security Command Center and its services are properly configured and working as intended. If you suspect that you have misconfiguration issues that aren't covered by these error detectors, see Troubleshooting and Error messages.

Severity levels

An error finding can have either of the following severity levels:

Critical
The error prevents you from seeing all of a service's findings, or prevents new findings—of any severity—from being generated.
High
The error prevents you from seeing or exporting findings.

Mute behavior

Findings belonging to the finding class SCC errors report issues that prevent Security Command Center from working as expected. For this reason, error findings can't be muted.

Error detectors

The following table describes the error detectors and the assets they support. You can filter findings by category name or finding class on the Security Command Center Findings tab in the Google Cloud console.

To remediate these findings, see Remediating Security Command Center errors.

The following finding categories represent errors possibly caused by unintentional actions.

Inadvertent actions
Category name API name Summary Severity
API disabled API_DISABLED

Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 60 hours

Fix this finding

Critical
Container Threat Detection service account missing permissions KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 30 minutes

Fix this finding

Critical
GKE service account missing permissions GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every week

Fix this finding

High
Misconfigured Cloud Logging Export MISCONFIGURED_CLOUD_LOGGING_EXPORT

Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Batch scans: Every 30 minutes

Fix this finding

High
VPC Service Controls Restriction VPC_SC_RESTRICTION

Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 6 hours

Fix this finding

High
Security Command Center service account missing permissions SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Organization

Batch scans: Every 30 minutes

Fix this finding

Critical

What's next