Overview of Security Command Center errors

Error detectors generate findings that point to issues in the configuration of your Security Command Center environment. These configuration issues prevent services (also known as finding providers or sources) from generating findings. Error findings are generated by the Security Command Center security source and have the finding class SCC errors.

This selection of error detectors addresses common Security Command Center misconfigurations and is not an exhaustive list. The absence of error findings doesn't guarantee that Security Command Center and its services are properly configured and working as intended. If you suspect that you have misconfiguration issues that aren't covered by these error detectors, see Troubleshooting and Error messages.

Severity levels

An error finding can have either of the following severity levels:

Critical

Indicates that the error is causing one or more of the following issues:

The error prevents you from seeing all of a service's findings.
The error is preventing Security Command Center from generating new findings of any severity.
The error is preventing attack path simulations from generating attack exposure scores and attack paths.

High

Indicates the error is causing one or more of the following issues:

You cannot see or export some of a service's findings.
For attack path simulations, the attack exposure scores and attack paths might be incomplete or inaccurate.

Mute behavior

Findings belonging to the finding class SCC errors report issues that prevent Security Command Center from working as expected. For this reason, error findings can't be muted.

Error detectors

The following table describes the error detectors and the assets they support. You can filter findings by category name or finding class on the Security Command Center Findings tab in the Google Cloud console.

To remediate these findings, see Remediating Security Command Center errors.

The following finding categories represent errors possibly caused by unintentional actions.

Inadvertent actions
Category name	API name	Summary	Severity
`API disabled`	`API_DISABLED`	Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center. Pricing tier: Premium or Standard Supported assets cloudresourcemanager.googleapis.com/Project Batch scans: Every 60 hours Fix this finding	Critical
`Attack path simulation: no resource value configs match any resources`	`APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES`	Finding description: Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead. This error can have any of the following causes: None of the resource value configurations match any resource instances. One or more resource value configurations that specify `NONE` override every other valid configuration. All the defined resource value configurations specify a value of `NONE`. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organizations Batch scans: Before every attack path simulation. Fix this finding	Critical
`Attack path simulation: resource value assignment limit exceeded`	`APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED`	Finding description: In the last attack path simulation, the number of high-value resource instances, as identified by the resource value configurations, exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set. The total number of matching instances and the total number of instances excluded from the set are identified in the `SCC Error` finding in the Google Cloud console. The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organizations Batch scans: Before every attack path simulation. Fix this finding	High
`Container Threat Detection Image Pull Failure`	`KTD_IMAGE_PULL_FAILURE`	Finding description: Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from `gcr.io`, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires. The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error: `Failed to pull image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": rpc error: code = NotFound desc = failed to pull and unpack image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": failed to resolve reference "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00: not found` Pricing tier: Premium Supported assets container.googleapis.com/Cluster Batch scans: Every 30 minutes Fix this finding	Critical
`Container Threat Detection Blocked By Admission Controller`	`KTD_BLOCKED_BY_ADMISSION_CONTROLLER`	Finding description: Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires. When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Batch scans: Every 30 minutes Fix this finding	High
`Container Threat Detection service account missing permissions`	`KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS`	Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Project Batch scans: Every 30 minutes Fix this finding	Critical
`GKE service account missing permissions`	`GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS`	Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster. Pricing tier: Premium Supported assets container.googleapis.com/Cluster Batch scans: Every week Fix this finding	High
`Misconfigured Cloud Logging Export`	`MISCONFIGURED_CLOUD_LOGGING_EXPORT`	Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging. Pricing tier: Premium Supported assets cloudresourcemanager.googleapis.com/Organization Batch scans: Every 30 minutes Fix this finding	High
`VPC Service Controls Restriction`	`VPC_SC_RESTRICTION`	Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter. Pricing tier: Premium or Standard Supported assets cloudresourcemanager.googleapis.com/Project Batch scans: Every 6 hours Fix this finding	High
`Security Command Center service account missing permissions`	`SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS`	Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced. Pricing tier: Premium or Standard Supported assets cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Project Batch scans: Every 30 minutes Fix this finding	Critical

What's next

Learn how to remediate Security Command Center errors.
Refer to Troubleshooting.
Refer to Error messages.