Stay organized with collections Save and categorize content based on your preferences.
Standard, Premium, and Enterprise service tiersError detectors generate findings that point to issues in the configuration of your Security Command Center environment. These configuration issues prevent detection services (also known as finding providers) from generating findings. Error findings are generated by the Security Command Center security source and have the finding class SCC errors.
This selection of error detectors addresses common Security Command Center misconfigurations and is not an exhaustive list. The absence of error findings doesn't guarantee that Security Command Center and its services are properly configured and working as intended. If you suspect that you have misconfiguration issues that aren't covered by these error detectors, see Troubleshooting and Error messages.
Severity levelsAn error finding can have either of the following severity levels:
Indicates that the error is causing one or more of the following issues:
Indicates the error is causing one or more of the following issues:
Findings belonging to the finding class SCC errors report issues that prevent Security Command Center from working as expected. For this reason, error findings can't be muted.
The following table describes the error detectors and the assets they support. You can filter findings by category name or finding class on the Security Command Center Findings tab in the Google Cloud console.
To remediate these findings, see Remediating Security Command Center errors.
Note: The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.The following finding categories represent errors possibly caused by unintentional actions.
Inadvertent actions Category name API name Summary SeverityAPI disabled API_DISABLED
Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center.
Pricing tier: Premium or Standard
Supported assets
cloudresourcemanager.googleapis.com/Project
Batch scans: Every 60 hours
CriticalAttack path simulation: no resource value configs match any resources APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES
Finding description: Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead.
This error can have any of the following causes:
NONE override every other valid configuration.NONE.Pricing tier: Premium
Supported assets
cloudresourcemanager.googleapis.com/Organizations
Batch scans: Before every attack path simulation.
CriticalAttack path simulation: resource value assignment limit exceeded APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED
Finding description: In the last attack path simulation, the number of high-value resource instances, as identified by the resource value configurations, exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set.
The total number of matching instances and the total number of instances excluded from the set are identified in the SCC Error finding in the Google Cloud console.
The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances.
Pricing tier: Premium
Supported assets
cloudresourcemanager.googleapis.com/Organizations
Batch scans: Before every attack path simulation.
HighContainer Threat Detection Image Pull Failure KTD_IMAGE_PULL_FAILURE
Finding description: Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from gcr.io, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.
The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error:
Failed to pull image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": rpc error: code = NotFound desc = failed to pull and unpack image "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": failed to resolve reference "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00: not found
Pricing tier: Premium
Supported assets
container.googleapis.com/Cluster
Batch scans: Every 30 minutes
CriticalContainer Threat Detection Blocked By Admission Controller KTD_BLOCKED_BY_ADMISSION_CONTROLLER
Finding description: Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.
When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object.
Pricing tier: Premium
Supported assets
container.googleapis.com/Cluster
Batch scans: Every 30 minutes
HighContainer Threat Detection service account missing permissions KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.
Pricing tier: Premium
Supported assets
cloudresourcemanager.googleapis.com/Project
Batch scans: Every 30 minutes
CriticalGKE service account missing permissions GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.
Pricing tier: Premium
Supported assets
container.googleapis.com/Cluster
Batch scans: Every week
HighMisconfigured Cloud Logging Export MISCONFIGURED_CLOUD_LOGGING_EXPORT
Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.
Pricing tier: Premium
Supported assets
cloudresourcemanager.googleapis.com/Organization
Batch scans: Every 30 minutes
HighVPC Service Controls Restriction VPC_SC_RESTRICTION
Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.
Pricing tier: Premium or Standard
Supported assets
cloudresourcemanager.googleapis.com/Project
Batch scans: Every 6 hours
HighSecurity Command Center service account missing permissions SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced.
Pricing tier: Premium or Standard
Supported assets
Batch scans: Every 30 minutes
Critical What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-18 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-18 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4