Overview of Security Command Center errors
Error detectors generate findings that point to issues in the configuration ofyour Security Command Center environment. These configuration issues preventdetection services (also known asfinding providers) from generating findings. Error findings aregenerated by theSecurity Command Center security source and have the findingclassSCC errors.
This selection of error detectors addresses common Security Command Centermisconfigurations and is not an exhaustive list. The absence of error findingsdoesn't guarantee that Security Command Center and its services are properlyconfigured and working as intended. If you suspect that you havemisconfiguration issues that aren't covered by these error detectors,seeTroubleshooting andError messages.
Severity levels
An error finding can have either of the following severity levels:
- Critical
Indicates that the error is causing one or more of the following issues:
- The error prevents you from seeing all of a service's findings.
- The error is preventing Security Command Center from generating newfindings of any severity.
- The error is preventing attack path simulations from generatingattack exposure scores and attack paths.
- High
Indicates the error is causing one or more of the following issues:
- You cannot see or export some of a service's findings.
- For attack path simulations, the attack exposure scores andattack paths might be incomplete or inaccurate.
Mute behavior
Findings belonging to the finding classSCC errors report issues that preventSecurity Command Center from working as expected. For this reason, error findings can't be muted.
Error detectors
The following table describes the error detectors and the assets they support.You can filter findings by category name or finding class on theSecurity Command CenterFindings page in the Google Cloud console.
To remediate these findings, seeRemediating Security Command Center errors.
Note: The IAM roles for Security Command Center can be granted at the organization,folder, or project level. Your ability to view, edit, create, or update findings, assets,and security sources depends on the level for which you are granted access. To learn more aboutSecurity Command Center roles, seeAccess control.The following finding categories represent errors possibly caused by unintentional actions.
| Category name | API name | Summary | Severity |
|---|---|---|---|
| API_DISABLED | Finding description: A required API is disabled for the project. The disabled service can't send findings to Security Command Center. Pricing tier:Premium or Standard Supported assets Batch scans: Every 60 hours | Critical |
| APS_NO_RESOURCE_VALUE_CONFIGS_MATCH_ANY_RESOURCES | Finding description:Resource value configurations are defined for attack path simulations, but they do not match any resource instances in your environment. The simulations are using the default high-value resource set instead. This error can have any of the following causes:
Pricing tier:Premium Supported assets Batch scans: Before every attack path simulation. | Critical |
| APS_RESOURCE_VALUE_ASSIGNMENT_LIMIT_EXCEEDED | Finding description: In the lastattack path simulation, the number of high-value resource instances, as identified by theresource value configurations, exceeded the limit of 1,000 resource instances in a high-value resource set. As a result, Security Command Center excluded the excess number of instances from the high-value resource set. The total number of matching instances and the total number of instances excluded from the set are identified in the The attack exposure scores on any findings that affect excluded resource instances do not reflect the high-value designation of the resource instances. Pricing tier:Premium Supported assets Batch scans: Before every attack path simulation. | High |
| KTD_IMAGE_PULL_FAILURE | Finding description: Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from The attempt to deploy the Container Threat Detection DaemonSet resulted in the following error: Pricing tier:Premium Supported assets Batch scans: Every 30 minutes | Critical |
| KTD_BLOCKED_BY_ADMISSION_CONTROLLER | Finding description: Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires. When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object. Pricing tier:Premium Supported assets Batch scans: Every 30 minutes | High |
| KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS | Finding description: A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled. Pricing tier:Premium Supported assets Batch scans: Every 30 minutes | Critical |
| GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS | Finding description: Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster. Pricing tier:Premium Supported assets Batch scans: Every week | High |
| MISCONFIGURED_CLOUD_LOGGING_EXPORT | Finding description: The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging. Pricing tier:Premium Supported assets Batch scans: Every 30 minutes | High |
| VPC_SC_RESTRICTION | Finding description: Security Health Analytics can't produce certain findings for a project. The project is protected by aservice perimeter, and the Security Command Center service account doesn't have access to the perimeter. Pricing tier:Premium or Standard Supported assets Batch scans: Every 6 hours | High |
| SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS | Finding description: The Security Command Center service account is missing permissions required to function properly. No findings are produced. Pricing tier:Premium or Standard Supported assets Batch scans: Every 30 minutes | Critical |
What's next
- Learn how toremediate Security Command Center errors.
- Refer toTroubleshooting.
- Refer toError messages.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.