This chapter covers Security Command Center (SCC) Premium, a critical topic for the ACE exam, especially under Objective 5.2: Managing security and compliance. You will learn how SCC Premium differs from Standard, its key features like Security Health Analytics, Event Threat Detection, Container Threat Detection, and integration with third-party partners. Approximately 5-8% of exam questions touch on SCC, with a focus on understanding the differences between tiers, enabling premium features, and interpreting findings. Mastering this chapter will help you answer scenario-based questions about threat detection and compliance posture.
Jump to a section
Imagine a large hospital with multiple wings, floors, and departments. The hospital has a central security office (Security Command Center) that monitors all activities. The hospital uses two tiers of security: a basic system (Security Command Center Standard) that monitors access logs and basic alarms (e.g., fire alarms, door sensors) using built-in sensors and simple rules. The premium system (Security Command Center Premium) adds advanced threat detection: it deploys specialized sensors (e.g., smoke detectors with chemical analysis, motion sensors with AI) that can detect specific threats like a gas leak or an unauthorized person in a restricted area. These premium sensors are from third-party vendors (like partner security companies) and are integrated into the central system via standard protocols. The premium system also has access to a national threat database (like Security Health Analytics) that provides signatures of known suspicious behaviors. When a premium sensor detects something unusual, it sends an alert to the security office. The security officer can then view the alert in a unified dashboard, see the exact location, and correlate it with other events. The premium system also has automated response capabilities, like locking doors or alerting local police, based on severity. The key difference: Standard gives you basic visibility and built-in alerts; Premium adds deep, customizable threat detection with third-party integrations and automated response, but at a higher cost and complexity. Just as a hospital might need premium security for sensitive areas like the pharmacy or ICU, an enterprise might need Premium SCC for workloads with sensitive data.
What is Security Command Center Premium?
Security Command Center (SCC) is Google Cloud's centralized security and risk management platform. It provides visibility into your cloud assets, detects threats, and helps you manage security and compliance. SCC has two tiers: Standard (free) and Premium (paid). The ACE exam focuses on understanding when to use Premium and its specific features.
SCC Standard is automatically available to all Google Cloud projects. It provides basic security scanning, including:
Asset inventory (compute instances, storage buckets, etc.)
Basic Web Security Scanner findings (e.g., XSS, Flash injection)
Default security health analytics (e.g., open firewall ports, public buckets)
Limited access to findings and APIs
SCC Premium unlocks advanced capabilities: - Security Health Analytics: Expanded set of detectors (over 150 vs. ~50 in Standard) - Event Threat Detection: Real-time threat detection from logs (e.g., compromised VM, crypto mining) - Container Threat Detection: Runtime threats in GKE clusters (e.g., privilege escalation, malicious binaries) - Access Transparency Logs: Visibility into Google staff access - Third-party integrations: Connect with partners like Palo Alto Networks, Qualys, and more - Continuous monitoring: Premium provides more frequent scans and lower latency for findings - Custom modules: Create custom detectors using YARA-L (for Event Threat Detection) and custom security health analytics
How SCC Premium Works Internally
SCC Premium operates as a managed service that aggregates data from multiple sources:
1. Data Collection: SCC Premium collects data from: - Google Cloud APIs: Asset inventory, IAM policies, firewall rules, etc. - Cloud Logging: Audit logs, VPC flow logs, DNS queries - GKE audit logs: Kubernetes audit logs for container threats - Partner integrations: Third-party scanners push findings via API
2. Detection Engines:
- Security Health Analytics: Runs a set of rules (detectors) against your cloud configuration. For example, detector FIREWALL_RULE_LOGGING_DISABLED checks if firewall rule logging is off. Each detector has a severity (low, medium, high, critical). Premium has ~150 detectors; Standard has ~50.
- Event Threat Detection: Analyzes logs in near real-time (latency ~2-5 minutes) for suspicious patterns. Uses machine learning and signature-based detection. Examples:
- PERSISTENT_EVENT: A user creates a service account and then uses it to create a VM (indicates persistence)
- CRYPTO_MINING: Detects crypto mining activity via network traffic patterns
- Container Threat Detection: Runs on GKE nodes using eBPF (extended Berkeley Packet Filter) to monitor system calls and detect runtime threats like:
- PRIVILEGE_ESCALATION: Attempt to run privileged container
- MALICIOUS_BINARY: Execution of known malware
- Web Security Scanner: Scans App Engine, Compute Engine, and GKE for web vulnerabilities (XSS, Flash injection, etc.)
3. Findings: All detections are normalized into a Finding object. A finding has:
- category: e.g., OPEN_FIREWALL, CRYPTO_MINING
- severity: CRITICAL, HIGH, MEDIUM, LOW
- state: ACTIVE or INACTIVE (muted or resolved)
- source_properties: Custom key-value pairs
- resource: The affected GCP resource (e.g., VM instance, bucket)
Integration with Cloud Logging: All findings are written to Cloud Logging as security_center_finding logs. You can export them to Pub/Sub, BigQuery, or SIEM.
Notifications: You can configure Pub/Sub notifications for findings based on severity or category. You can also create Security Health Analytics custom modules using Common Expression Language (CEL) to write custom rules.
Key Components and Defaults
Activation: SCC Premium must be enabled at the organization level (not project). You can enable it for the entire org or specific folders/projects using access control (IAM).
Pricing: SCC Premium is charged per resource per month. For example, per VM per hour, per GKE cluster per hour, etc. The exam may not ask exact pricing, but know that it's more expensive than Standard.
Detector Categories:
- Security Health Analytics: Categories like CIS_COMPLIANCE, SOX_COMPLIANCE, PCI_COMPLIANCE, GENERAL_SECURITY
- Event Threat Detection: Categories like PERSISTENCE, DEFENSE_EVASION, CRYPTO_MINING
- Container Threat Detection: Categories like PRIVILEGE_ESCALATION, MALICIOUS_BINARY, SUSPICIOUS_NETWORK_TRAFFIC
- Retention: Findings are retained for 90 days in SCC. For longer retention, export to BigQuery.
- APIs: SCC Premium provides REST API and gcloud commands:
- gcloud scc findings list (list findings)
- gcloud scc sources list (list sources like Security Health Analytics)
- gcloud scc notifications create (create Pub/Sub notification config)
Configuration and Verification
To enable SCC Premium: 1. Go to Security > Security Command Center > Settings 2. Click "Enable Premium" (requires Org Admin or Security Admin role) 3. Optionally, configure source (e.g., Event Threat Detection) by toggling on
To list findings:
gcloud scc findings list --organization=123456789012 \
--filter="severity=CRITICAL" --format=jsonTo create a notification:
gcloud scc notifications create my-notif \
--organization=123456789012 \
--pubsub-topic=projects/my-project/topics/scc-findings \
--filter="severity=CRITICAL OR severity=HIGH"To enable Event Threat Detection:
gcloud scc services enable event-threat-detection \
--organization=123456789012Interaction with Other Services
Cloud Asset Inventory: SCC Premium uses Cloud Asset Inventory to get resource metadata.
Cloud Logging: All findings are logged and can trigger Cloud Functions or SIEM.
IAM: Roles like Security Center Admin (roles/securitycenter.admin) allow full control. Security Center Findings Viewer (roles/securitycenter.findingsViewer) allows read-only.
VPC Service Controls: SCC Premium can be used within a VPC Service Perimeter to protect findings from exfiltration.
Exam-Relevant Details
SCC Premium is organization-level; Standard is project-level.
Security Health Analytics checks for misconfigurations; Event Threat Detection checks for active threats in logs.
Container Threat Detection requires GKE clusters and uses eBPF.
Web Security Scanner is available in both tiers but with limited scans in Standard.
Third-party integrations are only in Premium (e.g., Qualys, CrowdStrike).
Custom modules for Security Health Analytics are a Premium feature.
Access Transparency logs are only in Premium.
Enable SCC Premium at Org
Navigate to Security > Security Command Center > Settings in the GCP Console. Click "Enable Premium" for the organization. This requires the Organization Administrator role (`roles/resourcemanager.organizationAdmin`) or Security Center Admin (`roles/securitycenter.admin`). Once enabled, all projects under the organization (or selected folders/projects) will have Premium features. The activation takes a few minutes to propagate. You can also use the gcloud command: `gcloud scc organizations update --organization=ORG_ID --enable-premium`.
Enable Event Threat Detection
Event Threat Detection (ETD) is a Premium service that must be explicitly enabled. In the SCC console, go to "Services" and toggle on Event Threat Detection. Alternatively, use `gcloud scc services enable event-threat-detection --organization=ORG_ID`. ETD requires Cloud Logging export of audit logs and VPC flow logs to be enabled. It processes logs in near real-time (2-5 minute latency). Once enabled, it starts analyzing logs for threats like compromised credentials, crypto mining, and brute force attacks.
Configure Security Health Analytics
Security Health Analytics is enabled by default in Premium. It provides over 150 detectors for misconfigurations. You can customize which detectors are active via the console or API. To list detectors: `gcloud scc detectors list --organization=ORG_ID`. To disable a detector (e.g., to reduce noise): `gcloud scc detectors disable DETECTOR_ID --organization=ORG_ID`. You can also create custom detectors using CEL (Common Expression Language) under "Custom Modules" in the SCC console.
Set Up Container Threat Detection
Container Threat Detection (CTD) works with GKE clusters that have Workload Identity enabled. It requires the GKE cluster to be registered with SCC. To enable, go to SCC > Services > Container Threat Detection and toggle on. CTD uses eBPF to monitor system calls on each node. It detects threats like privilege escalation, malicious binaries, and suspicious network connections. Findings appear in SCC with category like `PRIVILEGE_ESCALATION`. CTD does not require any agent installation; it runs as a managed component on GKE nodes.
Create Notification for Findings
To get real-time alerts, create a notification configuration. In SCC, go to "Notifications" and click "Add Notification". Provide a name, select a Pub/Sub topic (must be in the same organization), and define a filter using the SCC filter syntax (e.g., `severity="CRITICAL"`). You can also use gcloud: `gcloud scc notifications create my-notif --organization=ORG_ID --pubsub-topic=TOPIC --filter="severity=CRITICAL"`. The Pub/Sub topic must have appropriate permissions (the SCC service account is automatically granted). Then, you can trigger Cloud Functions, send to SIEM, or send email via Cloud Pub/Sub.
Enterprise Scenario 1: Multi-Project Compliance Monitoring
A large financial institution runs 500+ GCP projects across multiple business units. They need to ensure compliance with CIS benchmarks and PCI DSS. They enable SCC Premium at the organization level. Security Health Analytics runs continuously, detecting misconfigurations like public buckets, open firewalls, and disabled logging. The security team creates custom modules to enforce internal policies, e.g., requiring encryption on all Cloud SQL instances. They set up notifications to a central Pub/Sub topic that feeds into a SIEM (Splunk). The team uses the SCC API to programmatically mute known false positives. At scale, they see ~10,000 findings per day. They use severity filters to prioritize critical issues. Without Premium, they would only get basic checks and would miss many PCI-specific requirements. A common pitfall is not enabling Event Threat Detection, which could miss active threats like compromised service accounts.
Enterprise Scenario 2: Real-Time Threat Detection for E-commerce
An e-commerce company with high traffic uses GKE for microservices. They enable SCC Premium and Container Threat Detection. One day, CTD detects a PRIVILEGE_ESCALATION finding in a pod that attempted to mount the host filesystem. The security team receives a notification via Pub/Sub and triggers a Cloud Function that automatically isolates the pod by updating the Kubernetes NetworkPolicy. They also investigate the source using Event Threat Detection logs, which show a compromised CI/CD token. The team rotates the token and patches the pipeline. Without CTD, the attack might have gone unnoticed until data exfiltration. A common mistake is not enabling Workload Identity on GKE clusters, which prevents CTD from working.
Enterprise Scenario 3: Third-Party Vulnerability Scanning
A healthcare company uses SCC Premium to integrate with Qualys for vulnerability scanning. They configure Qualys to scan their Compute Engine instances and push findings to SCC via the Security Health Analytics API. Now, all vulnerability data appears in a single dashboard alongside Google Cloud's native findings. They use SCC's IAM to grant the Qualys service account the Security Center Findings Editor role. They set up a notification for critical vulnerabilities. This integration reduces tool sprawl. However, they must ensure that the third-party findings are properly categorized and not duplicated. A common issue is misconfigured API permissions leading to missing findings.
What the ACE Exam Tests
The ACE exam (Objective 5.2) tests your ability to differentiate between SCC Standard and Premium and to enable and use Premium features. Specific areas:
- Organization-level vs. project-level: Premium is organization-level; Standard is project-level.
- Key features exclusive to Premium: Event Threat Detection, Container Threat Detection, custom modules, Access Transparency, third-party integrations.
- Security Health Analytics: Both tiers have it, but Premium has more detectors (150+ vs. 50).
- Web Security Scanner: Available in both, but Standard has limited scanning.
- Notifications: How to create Pub/Sub notifications for findings.
- IAM roles: Security Center Admin vs. Security Center Findings Viewer.
Common Wrong Answers
"SCC Premium can be enabled at the project level." – Wrong. Premium must be enabled at the organization level. Standard works at the project level.
"Event Threat Detection is available in SCC Standard." – Wrong. ETD is only in Premium.
"Web Security Scanner is only available in Premium." – Wrong. It's available in both, but Standard has limited capabilities.
"Security Health Analytics is identical in both tiers." – Wrong. Premium has more detectors.
Numbers and Values to Memorize
Number of Security Health Analytics detectors: ~50 (Standard) vs. ~150+ (Premium)
Retention of findings: 90 days
Event Threat Detection latency: ~2-5 minutes
Container Threat Detection uses eBPF
Roles: roles/securitycenter.admin (full), roles/securitycenter.findingsViewer (read)
Edge Cases
If you have a folder-level SCC Premium, it still requires organization-level activation.
SCC Premium can be used with VPC Service Controls to prevent data exfiltration.
Custom modules for Security Health Analytics are a Premium feature; you write rules in CEL.
Access Transparency logs show Google staff access; only available in Premium.
Third-party integrations require the partner to push findings via API; you must grant the partner the Security Center Findings Editor role.
How to Eliminate Wrong Answers
When you see a question about enabling a feature, ask: "Is this feature exclusive to Premium?" If yes, then the answer must involve enabling Premium at the organization level. If the question mentions "project-level", it's likely Standard. For threat detection (Event Threat Detection, Container Threat Detection), always choose Premium. For misconfiguration scanning (Security Health Analytics), both tiers have it, but Premium has more detectors. For notifications, both tiers support Pub/Sub, but the number of notifications may be limited in Standard (not explicitly tested).
SCC Premium is enabled at the organization level, not project level.
Event Threat Detection and Container Threat Detection are Premium-only features.
Security Health Analytics in Premium has ~150 detectors vs. ~50 in Standard.
Container Threat Detection uses eBPF and requires no agent installation on GKE.
Findings are retained for 90 days; export to BigQuery for longer retention.
Third-party integrations are only available in Premium.
Custom Security Health Analytics modules (CEL) are a Premium feature.
Access Transparency logs are only available with Premium.
IAM roles: `roles/securitycenter.admin` for full control; `roles/securitycenter.findingsViewer` for read-only.
Notifications can be configured via Pub/Sub for findings in both tiers, but Premium allows more advanced filtering.
These come up on the exam all the time. Here's how to tell them apart.
SCC Standard
Free of charge
Project-level enablement
~50 Security Health Analytics detectors
Basic Web Security Scanner
No Event Threat Detection or Container Threat Detection
No third-party integrations
No custom modules for health analytics
No Access Transparency logs
SCC Premium
Paid (per resource per month)
Organization-level enablement
~150+ Security Health Analytics detectors
Full Web Security Scanner
Includes Event Threat Detection and Container Threat Detection
Supports third-party integrations (e.g., Qualys, Palo Alto)
Supports custom modules (CEL rules)
Includes Access Transparency logs
Mistake
SCC Premium can be enabled on a per-project basis.
Correct
SCC Premium must be enabled at the organization level. You can then use IAM to limit which projects or folders have access to Premium features, but the activation is at the org level.
Mistake
Event Threat Detection is part of SCC Standard.
Correct
Event Threat Detection is a Premium-only feature. Standard only includes basic Security Health Analytics and Web Security Scanner.
Mistake
Container Threat Detection requires installing an agent on GKE nodes.
Correct
Container Threat Detection uses eBPF built into the Linux kernel and runs as a managed component on GKE nodes. No agent installation is needed.
Mistake
Security Health Analytics is the same in both tiers.
Correct
Standard has ~50 detectors; Premium has ~150+. Premium also supports custom modules (CEL rules) for custom checks.
Mistake
Findings are retained indefinitely.
Correct
Findings are retained for 90 days. For longer retention, you must export them to BigQuery or a SIEM.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You must have Organization Administrator or Security Center Admin role. Go to Security > Security Command Center > Settings in the GCP Console and click 'Enable Premium'. You can also use the gcloud command: `gcloud scc organizations update --organization=ORG_ID --enable-premium`. Premium is enabled at the organization level, not per project.
Security Health Analytics checks for misconfigurations and vulnerabilities in your cloud resources (e.g., open firewall ports, public buckets). Event Threat Detection analyzes logs in real-time to detect active threats like compromised credentials, crypto mining, or brute force attacks. Both are part of SCC Premium, but Security Health Analytics also has a limited version in Standard.
No. Container Threat Detection uses eBPF (extended Berkeley Packet Filter) which is a kernel feature. It runs as a managed component on GKE nodes. You only need to ensure your GKE cluster has Workload Identity enabled and is registered with SCC.
Findings are retained for 90 days. After that, they are automatically deleted. For long-term retention, you should export findings to BigQuery, Cloud Storage, or a SIEM using Cloud Logging exports or Pub/Sub.
Yes. SCC Premium can be used within a VPC Service Perimeter to protect findings from exfiltration. You can configure SCC to only be accessible from within the perimeter. This is a common requirement for regulated industries.
To view findings, you need the `Security Center Findings Viewer` role (`roles/securitycenter.findingsViewer`) at the organization, folder, or project level. To manage SCC settings, you need `Security Center Admin` (`roles/securitycenter.admin`) or `Organization Administrator`.
No. Custom modules (detectors) are a Premium feature. In Standard, you can only use the built-in detectors. In Premium, you can write custom rules using Common Expression Language (CEL) to check for specific configurations.
You've just covered Security Command Center Premium Findings — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?