Overview of Security Command Center errors

Error detectors generate findings that point to issues in the configuration of your Security Command Center environment. These configuration issues prevent detection services (also known as finding providers) from generating findings. Error findings are generated by the Security Command Center security source and have the finding class SCC errors.

This selection of error detectors addresses common Security Command Center misconfigurations and is not an exhaustive list. The absence of error findings doesn't guarantee that Security Command Center and its services are properly configured and working as intended. If you suspect that you have misconfiguration issues that aren't covered by these error detectors, see Troubleshooting and Error messages.

Severity levels

An error finding can have either of the following severity levels:

Critical

Indicates that the error is causing one or more of the following issues:

  • The error prevents you from seeing all of a service's findings.
  • The error is preventing Security Command Center from generating new findings of any severity.
  • The error is preventing attack path simulations from generating attack exposure scores and attack paths.
High

Indicates the error is causing one or more of the following issues:

  • You cannot see or export some of a service's findings.
  • For attack path simulations, the attack exposure scores and attack paths might be incomplete or inaccurate.

Mute behavior

Findings belonging to the finding class SCC errors report issues that prevent Security Command Center from working as expected. For this reason, error findings can't be muted.

Error detectors

The following table describes the error detectors and the assets they support. You can filter findings by category name or finding class on the Security Command Center Findings tab in the Google Cloud console.

To remediate these findings, see Remediating Security Command Center errors.

The following finding categories represent errors possibly caused by unintentional actions.

Inadvertent actions
Category name API name Summary Severity
API disabled API_DISABLED

Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 60 hours

Fix this finding

Critical
Attack path simulation: no resource value configs match any resources APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES

Finding description: Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead.

This error can have any of the following causes:

  • None of the resource value configurations match any resource instances.
  • One or more resource value configurations that specify NONE override every other valid configuration.
  • All the defined resource value configurations specify a value of NONE.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organizations

Batch scans: Before every attack path simulation.

Fix this finding

Critical
Attack path simulation: resource value assignment limit exceeded APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED

Finding description: In the last attack path simulation, the number of high-value resource instances, as identified by the resource value configurations, exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set.

The total number of matching instances and the total number of instances excluded from the set are identified in the SCC Error finding in the Google Cloud console.

The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organizations

Batch scans: Before every attack path simulation.

Fix this finding

High
Container Threat Detection Image Pull Failure KTD_IMAGE_PULL_FAILURE

Finding description: Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from gcr.io, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.

The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error:

Failed to pull image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": rpc error: code = NotFound desc = failed to pull and unpack image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": failed to resolve reference "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00: not found

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every 30 minutes

Fix this finding

Critical
Container Threat Detection Blocked By Admission Controller KTD_BLOCKED_BY_ADMISSION_CONTROLLER

Finding description: Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.

When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every 30 minutes

Fix this finding

High
Container Threat Detection service account missing permissions KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 30 minutes

Fix this finding

Critical
GKE service account missing permissions GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.

Pricing tier: Premium

Supported assets
container.googleapis.com/Cluster

Batch scans: Every week

Fix this finding

High
Misconfigured Cloud Logging Export MISCONFIGURED_CLOUD_LOGGING_EXPORT

Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.

Pricing tier: Premium

Supported assets
cloudresourcemanager.googleapis.com/Organization

Batch scans: Every 30 minutes

Fix this finding

High
VPC Service Controls Restriction VPC_SC_RESTRICTION

Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.

Pricing tier: Premium or Standard

Supported assets
cloudresourcemanager.googleapis.com/Project

Batch scans: Every 6 hours

Fix this finding

High
Security Command Center service account missing permissions SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS

Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced.

Pricing tier: Premium or Standard

Supported assets

Batch scans: Every 30 minutes

Fix this finding

Critical

What's next