Troubleshooting

Learn about troubleshooting steps that might be helpful if you experience the following problems while using Security Command Center.

Enabling Security Command Center fails

Enabling Security Command Center most commonly fails if your organization policies restrict identities by domain. You and your service account must be part of an allowed domain:

  • Make sure you sign in to an account that's in an allowed domain before you try to enable Security Command Center.
  • If you're using an @*.gserviceaccount.com service account, add the service account as an identity in a group within an allowed domain.

Assets in Security Command Center aren't updating

If you're using VPC Service Controls, assets in Security Command Center can only be discovered and updated when you grant access to the Security Command Center service account.

To enable asset discovery, grant access to the Security Command Center service account. This allows the service account to complete asset discovery and display assets in the Google Cloud console. The service account name is in the form of service-org-organization-id@security-center-api.iam.gserviceaccount.com.

Viewing, editing, creating, and updating findings and assets

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Missing or delayed notifications

In some situations, notifications might be missing, dropped, or delayed:

  • There might not be any findings that match the filters in your NotificationConfig. To test notifications, use the Security Command Center API to create a finding.
  • The Security Command Center service account must have the securitycenter.notificationServiceAgent role on the Pub/Sub topic. The service account name is in the form of service-organization-id@gcp-sa-scc-notification.iam.gserviceaccount.com.
    • If you remove the role, notification publishing is disabled.
    • If you remove the role and then grant the role again, notifications are delayed.
  • If you delete and recreate the Pub/Sub topic, notifications will be dropped.

Web Security Scanner

This section contains troubleshooting steps that you might find helpful if you have problems using Web Security Scanner

Scan errors for Compute Engine and GKE

If the URL for a scan is misconfigured, Web Security Scanner rejects it. Possible reasons for rejection include:

URL has an IP address that is ephemeral

Mark this IP address as static:

  • For an application on a single VM, reserve the IP address on the VM
  • For an application behind a load balancer, reserve the IP address on the load balancer.

URL is mapped to a wrong IP address

To fix this issue, refer to the instructions from your DNS registrar service.

URL is mapped to an ephemeral IP address of the same VM

Mark this IP address as static.

URL is mapped to a reserved IP address

This error happens when the URL is mapped to an IP address that's reserved in a different project of the same organization. To resolve this, define security scans for the VM or HTTP load balancer in the project for which it is defined.

URL is mapped to more than one IP address.

Make sure that all IP addresses that are mapped to this URL are reserved for the same project. If there is at least one IP address that isn't reserved for the same project, the Scan Create or Edit or Update operation fails.

What's next

Learn about Security Command Center errors.