Troubleshooting

This page describes troubleshooting steps that might be helpful if you experience the following problems while using Security Command Center.

Enabling Security Command Center fails

Enabling Security Command Center most commonly fails if your organization policies restrict identities by domain. You and your service account must be part of an allowed domain:

  • Make sure you sign in to an account that's in an allowed domain before you try to enable Security Command Center.
  • If you're using an @*.gserviceaccount.com service account, add the service account as an identity in a group within an allowed domain.

Assets in Security Command Center aren't updating

If you're using VPC Service Controls, assets in Security Command Center can only be discovered and updated when you grant access to the Security Command Center service account.

To enable asset discovery, grant access to the Security Command Center service account. This allows the service account to complete asset discovery and display assets in the Security Command Center dashboard. The service account name is in the form of service-org-organization-id@security-center-api.iam.gserviceaccount.com.

Missing or delayed notifications

In some situations, notifications might be missing, dropped, or delayed:

  • There might not be any findings that match the filters in your NotificationConfig. To test notifications, use the Security Command Center API to create a finding.
  • The Security Command Center service account must have the securitycenter.notificationServiceAgent role on the Pub/Sub topic. The service account name is in the form of service-organization-id@gcp-sa-scc-notification.iam.gserviceaccount.com.
    • If you remove the role, notification publishing is disabled.
    • If you remove the role and then grant the role again, notifications are delayed.
  • If you delete and recreate the Pub/Sub topic, notifications will be dropped.