Error detectors generate findings that point to issues in the configuration of
your Security Command Center environment. These configuration issues prevent detection services
(also known as finding providers
) from generating findings. Error findings are
generated by the Security Command Center
security source and have the finding
class SCC errors
.
This selection of error detectors addresses common Security Command Center misconfigurations and is not an exhaustive list. The absence of error findings doesn't guarantee that Security Command Center and its services are properly configured and working as intended. If you suspect that you have misconfiguration issues that aren't covered by these error detectors, see Troubleshooting and Error messages .
Severity levels
An error finding can have either of the following severity levels:
- Critical
-
Indicates that the error is causing one or more of the following issues:
- The error prevents you from seeing all of a service's findings.
- The error is preventing Security Command Center from generating new findings of any severity.
- The error is preventing attack path simulations from generating attack exposure scores and attack paths.
- High
-
Indicates the error is causing one or more of the following issues:
- You cannot see or export some of a service's findings.
- For attack path simulations, the attack exposure scores and attack paths might be incomplete or inaccurate.
Mute behavior
Findings belonging to the finding class SCC errors
report issues that prevent
Security Command Center from working as expected. For this reason, error findings can't be muted.
Error detectors
The following table describes the error detectors and the assets they support. You can filter findings by category name or finding class on the Security Command Center Findingstab in the Google Cloud console.
To remediate these findings, see Remediating Security Command Center errors .
The following finding categories represent errors possibly caused by unintentional actions.
API disabled
API_DISABLED
Finding description:A required API is disabled for the project. The disabled service can't send findings to Security Command Center.
Pricing tier: Premium or Standard
Supported assets cloudresourcemanager.googleapis.com/Project
Batch scans: Every 60 hours
Attack path simulation: no resource value configs match any resources
APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES
Finding description: Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead.
This error can have any of the following causes:
- None of the resource value configurations match any resource instances.
- One or more resource value configurations that specify
NONEoverride every other valid configuration. - All the defined resource value configurations specify a value of
NONE.
Pricing tier: Premium
Supported assets cloudresourcemanager.googleapis.com/Organizations
Batch scans: Before every attack path simulation.
Attack path simulation: resource value assignment limit exceeded
APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED
Finding description:In the last attack path simulation , the number of high-value resource instances, as identified by the resource value configurations , exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set.
The total number of matching instances and the total number of instances excluded
from the set are identified in the SCC Error
finding in the
Google Cloud console.
The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances.
Pricing tier: Premium
Supported assets cloudresourcemanager.googleapis.com/Organizations
Batch scans: Before every attack path simulation.
Container Threat Detection
Image Pull Failure
KTD_IMAGE_PULL_FAILURE
Finding description:Container Threat Detection can't be enabled on the cluster because a required container
image can't be pulled (downloaded) from gcr.io
, the Container Registry
image host. The image is
needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.
The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error:
Failed to pull image
"badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": rpc error:
code = NotFound desc = failed to pull and unpack image
"badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00": failed to
resolve reference "badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00":
badurl.gcr.io/watcher-daemonset:ktd_release.watcher_20220831_RC00: not found
Pricing tier: Premium
Supported assets container.googleapis.com/Cluster
Batch scans: Every 30 minutes
Container Threat Detection
Blocked By Admission Controller
KTD_BLOCKED_BY_ADMISSION_CONTROLLER
Finding description:Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.
When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object.
Pricing tier: Premium
Supported assets container.googleapis.com/Cluster
Batch scans: Every 30 minutes
KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description:A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.
Pricing tier: Premium
Supported assets cloudresourcemanager.googleapis.com/Project
Batch scans: Every 30 minutes
GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description:Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.
Pricing tier: Premium
Supported assets container.googleapis.com/Cluster
Batch scans: Every week
Misconfigured Cloud Logging Export
MISCONFIGURED_CLOUD_LOGGING_EXPORT
Finding description:The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.
Pricing tier: Premium
Supported assets cloudresourcemanager.googleapis.com/Organization
Batch scans: Every 30 minutes
VPC Service Controls Restriction
VPC_SC_RESTRICTION
Finding description:Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter , and the Security Command Center service account doesn't have access to the perimeter.
Pricing tier: Premium or Standard
Supported assets cloudresourcemanager.googleapis.com/Project
Batch scans: Every 6 hours
SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS
Finding description:The Security Command Center service account is missing permissions required to function properly. No findings are produced.
Pricing tier: Premium or Standard
Supported assets
Batch scans: Every 30 minutes
What's next
- Learn how to remediate Security Command Center errors .
- Refer to Troubleshooting .
- Refer to Error messages .
